Cybersecurity researchers at Keepnet Labs have identified a new Phishing-as-a-Service (PaaS) platform named GhostFrame, which has been used to launch more than one million phishing attacks. The framework provides threat actors with the tools to create and manage large-scale campaigns designed to steal user credentials and financial information.

The operators of the framework, referred to as “GhostNet,” are believed to be Russian-speaking. Analysis of the platform’s infrastructure confirmed that it is hosted on servers located in Russia.

GhostFrame’s Advanced Evasion Capabilities

GhostFrame is built with a modular design and incorporates advanced techniques to evade security detection. A key method involves using iFrames to load malicious content. This allows the outer webpage to appear benign while the inner frame contains the actual phishing form, a tactic designed to bypass security scanners. The framework also leverages legitimate cloud services, including Turnstile and Cloudflare, for anti-bot measures, which adds a layer of authenticity to its phishing pages. The platform is multilingual, with capabilities to launch attacks in English, German, French, and Spanish.

German Bank Targeted in Recent Campaign

In a specific campaign observed in March 2024, GhostFrame was used to target customers of a major German bank. The attack began with phishing emails that employed social engineering tactics, falsely alerting recipients to an unauthorized login attempt on their account. The emails prompted users to click a link to verify their account details. This link directed victims to a phishing page, visually identical to the bank’s legitimate login portal, where JavaScript was used to dynamically load the malicious iFrame to capture credentials.

Source: https://www.infosecurity-magazine.com/news/ghostframe-phishing-hits-one/