A phishing operation called GitBait has been targeting customers of Mexican banks by utilizing GitHub Pages and SheetBest, a cloud service, to avoid traditional server infrastructure. Over the last three years, the initiative has affected at least 12 financial institutions. The attackers leveraged a modular phishing kit to create convincing fake bank pages, which were linked through social media messages that showcased branded previews.
Group-IB's investigation noted that GitBait had over 100 GitHub-hosted domains with multiple fake pages and stressed the ineffectiveness of simple blocklists in countering such threats. Instead, they recommend increased vigilance from banks regarding brand abuse on cloud platforms and enhanced security measures, including behavioral detection and multi-factor authentication.