A sophisticated phishing operation known as “GitBait” has been identified targeting Mexico’s financial sector. This campaign leverages GitHub Pages, a trusted platform for hosting web content, to create counterfeit banking portals that closely mimic legitimate sites. Unsuspecting users are deceived into providing sensitive information, including login credentials and payment card details.
Operating covertly for over three years, GitBait has expanded its reach to at least 24 financial institutions in Mexico, encompassing both local and international banks. The campaign’s infrastructure is notably modular, allowing attackers to easily adapt their phishing templates to target new institutions without significant redevelopment.
Analysts at Group-IB have observed that GitBait employs a serverless architecture to exfiltrate stolen data. Credentials entered by victims are transmitted in real-time to attacker-controlled Google Sheets via the SheetBest API. In some instances, the campaign also utilizes Telegram bots to receive stolen information, with tokens and chat IDs embedded directly in the phishing page’s JavaScript.
The use of GitHub Pages is particularly concerning due to its inherent trustworthiness and default HTTPS support, which helps the phishing sites evade detection by security tools. The campaign’s operators have registered over 200 domains, each hosting multiple phishing pages under directory paths that resemble legitimate banking services, such as “cancelacion,” “soporte,” and “mbw.” This strategy not only enhances the credibility of the fraudulent sites but also complicates efforts to detect and dismantle the malicious infrastructure.
Furthermore, the phishing pages are designed to be responsive, ensuring a seamless experience for victims across both desktop and mobile devices. This attention to detail increases the likelihood of successful credential theft.
GitBait’s exploitation of GitHub Pages underscores a growing trend where cybercriminals abuse reputable platforms to host malicious content. This tactic poses significant challenges for detection and mitigation, as traditional security measures may not flag content hosted on trusted domains. Organizations, especially those in the financial sector, must remain vigilant and implement robust security protocols to protect against such sophisticated phishing campaigns.
As cyber threats continue to evolve, it is imperative for both individuals and institutions to stay informed about emerging tactics like those employed in the GitBait campaign. Enhancing user education, deploying advanced threat detection systems, and fostering collaboration between security researchers and platform providers are crucial steps in mitigating the risks associated with these deceptive practices.
