CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions

Cybersecurity News Archived Jun 17, 2026 ✓ Full text saved

A sophisticated phishing campaign called “GitBait” has been caught targeting Mexico’s financial sector with a level of precision rarely seen in credential-theft operations. The campaign abuses GitHub Pages, a widely trusted free hosting service, to deliver fake banking portals that look nearly identical to the real thing. Victims who land on these pages are tricked […] The post GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Anti-malware solutions Threat intelligence platform Malware detection software HomeCyber Security News GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions By Tushar Subhra Dutta June 17, 2026 A sophisticated phishing campaign called “GitBait” has been caught targeting Mexico’s financial sector with a level of precision rarely seen in credential-theft operations. The campaign abuses GitHub Pages, a widely trusted free hosting service, to deliver fake banking portals that look nearly identical to the real thing. Victims who land on these pages are tricked into handing over their login credentials, payment card details, and other sensitive information without ever suspecting anything is wrong. What makes GitBait particularly alarming is how long it has been running. Historical infrastructure tracking suggests the campaign has been active for over three years, quietly evolving and expanding its target list the entire time. The operation has targeted at least 24 financial institutions in Mexico, including both local banks and foreign institutions with a presence in the country. Analysts at Group-IB identified the campaign and noted it is built on a fully serverless architecture, routing stolen credentials through SheetBest, a third-party API service, directly into attacker-controlled Google Sheets in real time. Group-IB said in a report shared with Cyber Security News (CSN) that the infrastructure behind GitBait is modular, allowing threat actors to swap phishing templates and target new institutions without rebuilding their setup from scratch. Examples of impersonation landing pages targeting financial institutions (Source – Group-IB) Over 200 domains have been tied to this campaign, each hosting multiple phishing pages under directory paths such as “cancelacion,” “soporte,” and “mbw,” which mimic legitimate banking service categories. These paths also help the operation evade automated detection systems that rely on known malicious domain lists. The phishing pages are optimized for both desktop and mobile screens, reflecting a deliberate effort to maximize victim interaction across all devices. The credential harvesting scheme operates without a traditional command-and-control server. In at least one observed case, an alternative method was also used, sending victim data in real time to a Telegram bot with hardcoded tokens and chat IDs embedded in the page’s JavaScript. Commit history across multiple GitHub repositories confirms ongoing maintenance by what appears to be a collaborative and actively managed group of operators. GitBait Phishing Campaign Abuses GitHub Pages The heart of the GitBait operation lies in how it exploits GitHub Pages to host phishing content. GitHub Pages carries a trusted reputation and comes with HTTPS coverage by default, meaning most automated security tools do not flag it as suspicious. Script intercepts credentials and exfiltrates them via SheetBest API endpoint (Source – Group-IB) Threat actors leverage this trust to deploy phishing pages that pass standard blocklist checks while landing directly in front of their targets. Each repository contains duplicated phishing content under different directory paths, making takedowns difficult since removing one path does not eliminate the others. The phishing kit includes an internal campaign selector that operators use to choose which bank to impersonate and generate a matching fraudulent URL. Impersonation landing pages replicate the visual identity, layout, and navigation of legitimate banking portals, building a false sense of trust before victims are sent to credential-harvesting forms. Those forms collect usernames, passwords, customer IDs, and payment card details through a multi-stage flow designed to mirror a real online banking session. Centralized Credential Theft Through SheetBest API Once a victim submits their information, a client-side JavaScript intercepts the form submission before the browser processes it. The stolen data is serialized into JSON and sent via a POST request to the SheetBest API, routing it directly into an attacker-controlled Google Sheet. This serverless model eliminates the need for dedicated backend infrastructure, lowering operational costs and making attribution far more difficult. Hardcoded Telegram bot token and chat ID (Source – Group-IB) Group-IB has reported all identified phishing pages and domains to GitHub. Financial institutions are urged to proactively monitor for GitHub Pages repositories impersonating their brand using naming patterns like “brand-soporte” or “brand-cancelacion”. Organizations should also track unexpected outbound POST requests to api.sheetbest.com from user-facing web sessions. Implementing behavioral detection and real-time transaction alerts can protect customers even if credentials are already compromised. Sharing threat intelligence with peers and regulators is strongly encouraged to accelerate coordinated response across the financial sector. Indicators of Compromise (IoCs):- Type Indicator Description Domain soporte-index.github[.]io GitHub Pages phishing domain Domain soporte-index69.github[.]io GitHub Pages phishing domain Domain sntdr-soporte.github[.]io GitHub Pages phishing domain Domain v9-soporte.github[.]io GitHub Pages phishing domain Domain soporte169.github[.]io GitHub Pages phishing domain Domain soporte1505.github[.]io GitHub Pages phishing domain Domain soporte16032k.github[.]io GitHub Pages phishing domain Domain soporte96.github[.]io GitHub Pages phishing domain Domain soporte-bmw.github[.]io GitHub Pages phishing domain Domain soporte-r2.github[.]io GitHub Pages phishing domain Domain api.sheetbest[.]com SheetBest API used for credential exfiltration Domain soporte5014.github[.]io GitHub Pages phishing domain Domain soporte15052014.github[.]io GitHub Pages phishing domain Domain soporte20032k.github[.]io GitHub Pages phishing domain Domain soporte250.github[.]io GitHub Pages phishing domain Domain soporte-index69.github[.]io GitHub Pages phishing domain Domain soporte-bnw.github[.]io GitHub Pages phishing domain Domain fldsmdrc-95.github[.]io GitHub Pages phishing domain Domain soporte-bx.github[.]io GitHub Pages phishing domain Domain soporte-index.github[.]io GitHub Pages phishing domain Domain soporte-cw.github[.]io GitHub Pages phishing domain Domain soporte-bk.github[.]io GitHub Pages phishing domain Domain sntdrsoporte-jatencionf.github[.]io GitHub Pages phishing domain Domain soporte-jatencionf.github[.]io GitHub Pages phishing domain Domain soporte-j-atencion.github[.]io GitHub Pages phishing domain Domain soporte-bh.github[.]io GitHub Pages phishing domain Domain respaldo95.github[.]io GitHub Pages phishing domain Domain soporte-indexg1.github[.]io GitHub Pages phishing domain Domain gnilsoporte.github[.]io GitHub Pages phishing domain Domain soporte-gn-il.github[.]io GitHub Pages phishing domain Domain soporte-gnil.github[.]io GitHub Pages phishing domain Domain goil-soporte.github[.]io GitHub Pages phishing domain Domain gnil-soporte.github[.]io GitHub Pages phishing domain Domain soporte-sh.github[.]io GitHub Pages phishing domain Domain soportecgj.github[.]io GitHub Pages phishing domain Domain support-gh.github[.]io GitHub Pages phishing domain IP Address 176.97.214[.]92 Remote address for SheetBest API credential submission Operator Account ss-soporte (GitHub) rronromoBgmail[.]com — Initial repository setup and base infrastructure creation Operator Account ce-soporte (GitHub) jejcgsbsbs Bgmail[.]com — Activation of GitHub Pages hosting Operator Account soporte-swjejcgsbsbsBgmail[.]com (GitHub) Addition of new institution templates and removal of others Operator Account soporte-BRAND-NAMEB-soperte (GitHub) hig3naarool101Bgmail[.]com — Updates to credential harvesting pages File Hash (CSS) sha256 bootstrap v5.3.0-alpha1 CSS SHA256 hash (see report) Bootstrap CSS SRI hash used across phishing pages File Hash (JS) sha256 bootstrap v5.3.0-alpha1 JS SHA256 hash (see report) Bootstrap JS SRI hash used across phishing pages Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Anthropic’s Claude Fable 5 Alleged Jailbreak to Generate Stack Exploits Infinite Campus Data Breach Exposes 137,000 Users Personal Details WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User CISA Warns of Oracle PeopleSoft 0-Day Vulnerability Exploited in Ransomware Attacks Latest News Press Release SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies ANY.RUN URL Phishing Is Draining SOCs, How to Cut Triage Time and Catch Incidents Early   Cyber Security News 27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely Cyber Security News Hackers Use ClickFix Prompt to Install MSI Package and Launch Hands-On-Keyboard Attack Cyber Security News Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗