FHN 
Researchers have uncovered a sophisticated phishing campaign targeting banking customers in Mexico through a highly scalable and resilient attack infrastructure. The operation leverages GitHub Pages to host convincing phishing websites designed to steal login credentials, payment card information, and customer data.
Unlike traditional phishing operations that rely on a small number of malicious domains, this campaign uses a distributed network of GitHub Pages repositories. This approach allows attackers to quickly replace removed pages, maintain operational continuity, and reduce the effectiveness of takedown efforts.
Security researchers observed phishing pages impersonating multiple financial institutions, with customized interfaces optimized for both desktop and mobile users.
Multi-Stage Infrastructure Designed for Scale
At the core of the campaign is a modular phishing kit that enables operators to generate institution-specific phishing pages with minimal effort. Victims are first directed to professionally crafted landing pages that closely mimic legitimate banking portals before being prompted to enter sensitive information.
The attack infrastructure uses client-side scripts to capture submitted data and transmit it to attacker-controlled platforms in real time. Rather than operating traditional command-and-control servers, the threat actors utilize third-party services to collect stolen information, reducing their infrastructure footprint and making detection more challenging.
Researchers also identified the use of obfuscated JavaScript loaded from external sources, allowing attackers to modify payloads and update functionality without altering the visible phishing pages. In some instances, stolen credentials were forwarded directly through Telegram, providing operators with immediate access to harvested data.
Evidence gathered from repository activity suggests the campaign has been actively maintained for more than a year, with continuous updates, infrastructure changes, and deployment improvements. The operation also utilizes automated deployment mechanisms and carefully crafted link previews to increase engagement across messaging and social media platforms.
Abuse of Trusted Platforms Continues to Grow
The campaign highlights a growing trend in which threat actors abuse reputable cloud and hosting services to conduct phishing operations. By leveraging GitHub Pages, attackers benefit from trusted infrastructure, HTTPS encryption, and simplified deployment capabilities, making malicious pages appear more legitimate to potential victims.
Researchers noted that the phishing pages were specifically designed for targeted distribution through channels such as SMS, WhatsApp, Telegram, and social media rather than search engine discovery. This targeted approach helps maximize victim engagement while reducing unwanted visibility.
The findings demonstrate that traditional domain-based blocking and blacklist approaches are becoming less effective against modern phishing operations. As attackers increasingly rely on legitimate platforms to host malicious content, organizations must adopt stronger behavioral detection strategies, continuously monitor for brand impersonation, and improve collaboration across the security community.
The campaign serves as a reminder that phishing remains one of the most effective cybercrime techniques, particularly when combined with trusted platforms and scalable infrastructure designed to withstand disruption.
Indicators of Compromise (IOCs)
| # | Hostname | Count |
|---|---|---|
| 1 | soporte-index25.github[.]io | 2 |
| 2 | soporte-index09.github[.]io | 2 |
| 3 | sntdr-soporte25.github[.]io | 1 |
| 4 | sntdr-soporte25.github[.]io | 1 |
| 5 | 07-soporte.github[.]io | 2 |
| 6 | soporte2507.github[.]io | 2 |
| 7 | soporte160625.github[.]io | 3 |
| 8 | soporte250324.github[.]io | 2 |
| 9 | soporte74.github[.]io | 4 |
| 10 | soporte-bm1.github[.]io | 1 |
| 11 | soporte-r5.github[.]io | 3 |
| 12 | api.sheetbest.com | 2 |
| 13 | soporte0625.github[.]io | 2 |
| 14 | soporte200525.github[.]io | 2 |
| 15 | soporte2650.github[.]io | 1 |
| 16 | soporte-bn1.github[.]io | 1 |
| 17 | soporte-b2.github[.]io | 1 |
| 18 | soporte-index.github[.]io | 2 |
| 19 | soporte-c1.github[.]io | 1 |
| 20 | soporte-b4.github[.]io | 1 |
| 21 | sntndr25-soporte.github[.]io | 2 |
| 22 | sntndr-soporte0825.github[.]io | 2 |
| 23 | 0825-soporte.github[.]io | 2 |
| 24 | soporte-07-25.github[.]io | 2 |
| 25 | soporte-0725.github[.]io | 2 |
| 26 | 0725soporte.github[.]io | 2 |
| 27 | soporte0725-3.github[.]io | 2 |
| 28 | soporte0725.github[.]io | 2 |
| 29 | soporteyatencionf.github[.]io | 2 |
| 30 | 0725-soporte.github[.]io | 2 |
| 31 | soporte-y-atencion.github[.]io | 1 |
| 32 | soporter03.github[.]io | 1 |
| 33 | respaldo94.github[.]io | 2 |
| 34 | soporte-index05.github[.]io | 1 |
| 35 | soporte-b1.github[.]io | 1 |
| 36 | soporte0625.github[.]io | 2 |
| 37 | soporte250324.github[.]io | 2 |
| 38 | fldsmdfr-94.github[.]io | 2 |
| 39 | support-vh.github[.]io | 1 |
About the Author
