{"id":13703,"date":"2026-06-18T10:03:47","date_gmt":"2026-06-18T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/18\/gitbait-phishing-campaign-abuses-github-pages-to-attack-financial-institutions\/"},"modified":"2026-06-18T10:03:47","modified_gmt":"2026-06-18T10:03:47","slug":"gitbait-phishing-campaign-abuses-github-pages-to-attack-financial-institutions","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/18\/gitbait-phishing-campaign-abuses-github-pages-to-attack-financial-institutions\/","title":{"rendered":"GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions"},"content":{"rendered":"

GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated phishing campaign called \u201cGitBait\u201d has been caught targeting Mexico\u2019s financial sector with a level of precision rarely seen in credential-theft operations. <\/p>\n

The campaign abuses GitHub Pages, a widely trusted free hosting service, to deliver fake banking portals that look nearly identical to the real thing. <\/p>\n

Victims who land on these pages are tricked into handing over their login credentials, payment card details, and other sensitive information without ever suspecting anything is wrong.<\/a><\/p>\n

What makes GitBait particularly alarming is how long it has been running. Historical infrastructure tracking suggests the campaign has been active for over three years, quietly evolving and expanding its target list the entire time. <\/p>\n

The operation has targeted at least 24 financial institutions in Mexico, including both local banks and foreign institutions with a presence in the country.<\/a><\/p>\n

Analysts at Group-IB identified the campaign and noted it is built on a fully serverless architecture, routing stolen credentials through SheetBest, a third-party API service, directly into attacker-controlled Google Sheets in real time. <\/p>\n

Group-IB said in a\u00a0report\u00a0<\/a>shared with Cyber Security News (CSN) that the infrastructure behind GitBait is modular, allowing threat actors to swap phishing templates and target new institutions without rebuilding their setup from scratch.<\/p>\n

\n
\"Examples
Examples of impersonation landing pages targeting financial institutions (Source \u2013 Group-IB)<\/figcaption><\/figure>\n<\/div>\n

Over 200 domains have been tied to this campaign, each hosting multiple phishing pages under directory paths such as \u201ccancelacion,\u201d \u201csoporte,\u201d and \u201cmbw,\u201d which mimic legitimate banking service categories. <\/p>\n

These paths also help the operation evade automated detection systems that rely on known malicious domain lists. <\/p>\n

The phishing pages are optimized for both desktop and mobile screens, reflecting a deliberate effort to maximize victim interaction across all devices. <\/a>The credential harvesting scheme operates<\/a> without a traditional command-and-control server. <\/p>\n

In at least one observed case, an alternative method was also used, sending victim data in real time to a Telegram bot with hardcoded tokens and chat IDs embedded in the page\u2019s JavaScript. <\/p>\n

Commit history across multiple GitHub repositories confirms ongoing maintenance by what appears to be a collaborative and actively managed group of operators.<\/a><\/p>\n

GitBait Phishing Campaign Abuses GitHub Pages<\/strong><\/h2>\n

The heart of the GitBait operation lies in how it exploits GitHub Pages to host phishing content. GitHub Pages carries a trusted reputation and comes with HTTPS coverage by default, meaning most automated security tools do not flag it as suspicious. <\/p>\n

\n
\"Script
Script intercepts credentials and exfiltrates them via SheetBest API endpoint (Source \u2013 Group-IB)<\/figcaption><\/figure>\n<\/div>\n

Threat actors leverage this trust to deploy phishing pages that pass standard blocklist checks while landing directly in front of their targets. <\/p>\n

Each repository contains duplicated phishing content under different directory paths, making takedowns difficult since removing one path does not eliminate the others.<\/a><\/p>\n

The phishing kit includes an internal campaign selector that operators use<\/a> to choose which bank to impersonate and generate a matching fraudulent URL. <\/p>\n

Impersonation landing pages replicate the visual identity, layout, and navigation of legitimate banking portals, building a false sense of trust before victims are sent to credential-harvesting forms. <\/p>\n

Those forms collect usernames, passwords, customer IDs, and payment card details through a multi-stage flow designed to mirror a real online banking session.<\/a><\/p>\n

Centralized Credential Theft Through SheetBest API<\/strong><\/h2>\n

Once a victim submits their information, a client-side JavaScript intercepts the form submission before the browser processes it. <\/p>\n

The stolen data is serialized into JSON and sent via a POST request to the SheetBest API, routing it directly into an attacker-controlled Google Sheet. <\/p>\n

This serverless model eliminates the need for dedicated backend infrastructure, lowering operational costs and making attribution far more difficult.<\/p>\n

\n
\"Hardcoded
Hardcoded Telegram bot token and chat ID (Source \u2013 Group-IB)<\/figcaption><\/figure>\n<\/div>\n

Group-IB has reported all identified phishing pages and domains to GitHub. Financial institutions are urged to proactively monitor for GitHub Pages repositories impersonating their brand using naming patterns like \u201cbrand-soporte\u201d or \u201cbrand-cancelacion\u201d. <\/p>\n

Organizations should also track unexpected outbound POST requests to api.sheetbest.com from user-facing web sessions. Implementing behavioral detection and real-time transaction alerts<\/a> can protect customers even if credentials are already compromised. <\/p>\n

Sharing threat intelligence with peers and regulators is strongly encouraged to accelerate coordinated response across the financial sector.<\/a><\/p>\n

Indicators of Compromise (IoCs):-<\/strong><\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type<\/th>\nIndicator<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
Domain<\/td>\nsoporte-index.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-index69.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsntdr-soporte.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nv9-soporte.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte169.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte1505.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte16032k.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte96.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-bmw.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-r2.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\napi.sheetbest[.]com<\/td>\nSheetBest API used for credential exfiltration<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte5014.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte15052014.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte20032k.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte250.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-index69.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-bnw.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nfldsmdrc-95.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-bx.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-index.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-cw.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-bk.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsntdrsoporte-jatencionf.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-jatencionf.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-j-atencion.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-bh.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nrespaldo95.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-indexg1.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\ngnilsoporte.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-gn-il.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-gnil.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\ngoil-soporte.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\ngnil-soporte.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoporte-sh.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsoportecgj.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
Domain<\/td>\nsupport-gh.github[.]io<\/td>\nGitHub Pages phishing domain<\/td>\n<\/tr>\n
IP Address<\/td>\n176.97.214[.]92<\/td>\nRemote address for SheetBest API credential submission<\/td>\n<\/tr>\n
Operator Account<\/td>\nss-soporte (GitHub)<\/td>\nrronromoBgmail[.]com \u2014 Initial repository setup and base infrastructure creation<\/td>\n<\/tr>\n
Operator Account<\/td>\nce-soporte (GitHub)<\/td>\njejcgsbsbs Bgmail[.]com \u2014 Activation of GitHub Pages hosting<\/td>\n<\/tr>\n
Operator Account<\/td>\nsoporte-swjejcgsbsbsBgmail[.]com (GitHub)<\/td>\nAddition of new institution templates and removal of others<\/td>\n<\/tr>\n
Operator Account<\/td>\nsoporte-BRAND-NAMEB-soperte (GitHub)<\/td>\nhig3naarool101Bgmail[.]com \u2014 Updates to credential harvesting pages<\/td>\n<\/tr>\n
File Hash (CSS)<\/td>\nsha256 bootstrap v5.3.0-alpha1 CSS SHA256 hash (see report)<\/td>\nBootstrap CSS SRI hash used across phishing pages<\/td>\n<\/tr>\n
File Hash (JS)<\/td>\nsha256 bootstrap v5.3.0-alpha1 JS SHA256 hash (see report)<\/td>\nBootstrap JS SRI hash used across phishing pages<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Note:<\/strong>\u00a0IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em>[.]<\/em><\/code>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n

The post GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions A sophisticated phishing campaign called \u201cGitBait\u201d has been caught targeting Mexico\u2019s financial sector with a level of precision rarely seen in credential-theft operations. The campaign abuses GitHub Pages, a widely trusted free hosting service, to deliver fake banking portals that look nearly identical to the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13703","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13703"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13703"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13703\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}