A phishing campaign has been targeting banking customers across the Philippines since early 2024, continuing its operations well into 2026. This sophisticated effort exploits trusted online platforms to harvest banking credentials and one-time passwords, leading to rapid unauthorized withdrawals from victims’ accounts.
Techniques Used by Cybercriminals
Unlike traditional phishing attempts, the attackers in this campaign leverage legitimate-looking emails to deceive users. These emails appear to originate from trusted sources, alerting recipients to purported unauthorized transactions or suspicious logins. The messages contain links that direct users to enter their banking details, a tactic designed to mimic legitimate banking communications.
Research conducted by Group-IB CERT has identified this operation under the threat actor label PHISLES. The investigation reveals that since its inception in January 2024, over 900 malicious links have been distributed, impersonating three major Philippine banks and affecting over 400 individuals.
Exploiting Trusted Platforms for Delivery
In 2025, the campaign evolved to use trusted platforms as intermediaries in their phishing process. By routing victims through these platforms before reaching the fake banking page, attackers effectively bypassed Secure Email Gateways. This tactic made phishing emails appear more credible, increasing the likelihood of them being opened by recipients.
Specifically, platforms like Google Business Profile links and Google’s AMP CDN were abused to lend credibility to the phishing URLs. Additionally, URL shorteners and Cloudflare-managed domains facilitated the obfuscation of the true destination of these links, making them appear innocuous to both users and security systems.
Impact and Recommendations
The campaign’s persistence is partly due to the use of compromised email accounts sourced from combolists available on dark web forums. These accounts lend authenticity to phishing emails, allowing them to evade detection by spam filters. Furthermore, attackers have hijacked domains of legitimate institutions, creating subdomains to further their phishing efforts without disrupting normal operations.
To protect themselves, banking customers should exercise caution with urgent emails, verify URLs before entering credentials, and regularly update passwords. Financial institutions are urged to alert customers about ongoing scams and implement measures to detect unauthorized access. Educational institutions should enforce multi-factor authentication and audit DNS records to prevent domain misuse.
By staying informed and vigilant, both individuals and organizations can mitigate the risks posed by such sophisticated phishing campaigns.
