THE GitBait phishing campaign targets at least 12 financial institutions in Mexico, utilizing GitHub Pages and the SheetBest API to harvest banking credentials. Unattributed financially motivated operators have been active for approximately three years, leveraging over 100 domains to create cloned bank login pages that deceive victims into entering personal information.
The campaign's operation involves sending fraudulent links via SMS and social media to direct victims to these lookalike pages, where data is intercepted in real time and stored in Google Sheets. Despite extensive activity, no arrests have been made, and Group-IB emphasizes the need for banks to adopt advanced security measures like behavioral detection.