A recent phishing operation known as ‘GitBait’ has been identified as a significant threat to Mexico’s financial sector. This campaign has been strategically targeting financial institutions, leveraging the trusted platform of GitHub Pages to deploy fraudulent banking sites that are almost indistinguishable from legitimate ones.
Methodology of the GitBait Campaign
GitBait exploits GitHub Pages, a popular free hosting service, to create deceptive web portals that closely mimic actual banking sites. Users who encounter these sites are unknowingly prompted to provide sensitive data such as login credentials and payment information. The campaign’s use of GitHub Pages takes advantage of the platform’s reputation and default HTTPS security, helping it evade common security checks.
Group-IB analysts reported that the phishing operation employs a serverless framework, utilizing the SheetBest API to transfer stolen data directly to Google Sheets managed by the attackers. This approach negates the need for traditional backend infrastructure, allowing for quick adaptability and reducing the risk of detection.
Scope and Impact of GitBait
The GitBait campaign has been active for over three years, targeting at least 24 financial institutions in Mexico. This includes both local and international banks operating within the country. The breadth of its operation is evidenced by over 200 domains linked to the campaign, each hosting multiple phishing pages.
The use of modular infrastructure enables threat actors to easily modify phishing templates and expand the campaign’s reach, continually adapting to target new institutions. These phishing pages are carefully optimized for both desktop and mobile interfaces to maximize the potential for victim interaction.
Countermeasures and Security Recommendations
In response to the threats posed by GitBait, Group-IB has reported all known phishing sites and domains to GitHub. Financial institutions are advised to monitor for repositories on GitHub Pages that impersonate their brand, particularly those using naming conventions like ‘brand-soporte’.
To further enhance security, organizations should track unexpected outbound POST requests, particularly those directed to api.sheetbest.com. Implementing behavioral detection systems and real-time transaction alerts can provide an additional layer of protection, even if credentials have been compromised.
Sharing threat intelligence with industry peers and regulatory bodies is crucial to fostering a coordinated response to these phishing threats. Such collaboration can accelerate the identification and mitigation of similar cyber threats across the financial sector.
By understanding and addressing the evolving tactics of campaigns like GitBait, financial institutions can better protect themselves and their customers from sophisticated phishing attacks.
