Webflow sites used to trick victims into sharing login details

Hackers are building phishing pages with no code through Webflow

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Webflow is growing increasingly popular among cybercriminals phishing for cryptocurrency wallet information, login credentials, and more, experts have warned.

Areportfrom Netskope Threat Labs claims that between April and September 2024, it observed a ten-fold increase in traffic to phishing pages created in Webflow.

Webflow is awebsite builderdesign and development platform that allows users to visually build responsive websites without coding, while also offering hosting and content management features.

Smash and grab

The goal of the campaign is, first and foremost, to obtain cryptocurrency wallet information. By tricking victims into sharing seed phrases and login credentials for Coinbase, MetaMask, Phantom, Trezor, or Bitbuy, the crooks can gain full control over the wallets and drain them of any funds, or NFTs.

Besides crypto wallets, the miscreants were also hunting for credentials for multiple company webmail platforms, as well asMicrosoft365 login credentials.

In total, more than 120 organizations worldwide have been targeted, with the majority being located in North America, and Asia. Usually, the crooks were going for organizations in financial services, banking, and technology.

“Attackers abuse Webflow in two ways,” Netskope’s researchers claim. “Creating standalone phishing pages and using Webflow pages to redirect victims to phishing pages hosted elsewhere.” The former is more stealth-oriented, since it contains no phishing lines of code, and thus cannot be spotted by usual security scanners. The latter, on the other hand, provides more flexibility and allows for more complex attacks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Webflow also provided custom publicly accessible subdomains without additional cost, which the crooks happily used.

What makes the phishing sites easy to spot is the way they mimic legitimate pages. Crooks would simply grab a full-screen screenshot of the legitimate app’s homepage, and use that on their own site. Some pages simply redirected people from this image to the actual phishing page hosted elsewhere.

Therefore, if you see that a website’s homepage is not interactive at all, and behaves as a single image, be careful - you’re probably being targeted.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

Cybersecurity is business survival and CISOs need to act now