The campaign, tracked as GitBait, has been active for nearly three years and has impersonated at least a dozen banks and financial services providers. Its operators have used more than 100 GitHub Pages-hosted domains and repository structures to publish cloned landing pages under directory paths such as support, cancellation and mobile-banking variants, enabling them to keep parts of the network alive even when individual pages are removed.
The operation reflects a broader shift in financial phishing, where attackers are moving away from stand-alone malicious infrastructure and leaning on trusted cloud and developer platforms that already carry encryption, availability and reputational cover. GitHub Pages, a free static website hosting service, gives each page a github. io address and HTTPS protection, making crude blocklist-based defences less effective when victims are directed through text messages, email or chat apps.
At the centre of the campaign is a reusable phishing kit with an internal selector panel. Operators can choose the institution they want to mimic and generate a matching landing page, allowing the same infrastructure to serve multiple brands. The cloned pages are designed for both desktop and mobile users, reflecting the way banking customers in Mexico increasingly move between app-based and browser-based access.
Victims are typically taken through a staged process that begins with a trust-building imitation of a bank page and then moves into forms requesting credentials, card numbers, customer IDs and other sensitive fields. Some versions display a fake verification or waiting screen after submission, a tactic that keeps the user on the page and reduces suspicion while the information is transmitted elsewhere.
The most notable feature of GitBait is its serverless collection method. Instead of sending stolen data to a conventional command-and-control server, obfuscated JavaScript embedded in the phishing pages intercepts form submissions and pushes the data through the SheetBest API into attacker-controlled Google Sheets. This approach gives the operators a ready-made storage and viewing system without maintaining their own back-end infrastructure.
At least one variant used Telegram bot infrastructure as an alternative exfiltration channel, with hardcoded tokens and chat identifiers embedded in the page code. That suggests the operators have maintained backup routes for collecting data and have adjusted their workflow over time as hosting and detection pressures changed.
Repository activity linked to the operation points to organised maintenance rather than one-off abuse. Multiple operator accounts appear to have contributed to page deployment, brand template updates and infrastructure changes. Commit histories show work continuing over extended periods, indicating a campaign managed with the discipline of a repeatable fraud operation.
The use of crafted Open Graph preview tags added another layer of deception. When malicious links were shared through messaging platforms, the preview could display the name, logo or visual language of a targeted financial institution, increasing the likelihood that a customer would tap through without scrutinising the github. io address.
The phishing pages do not exploit a vulnerability in GitHub Pages. They abuse a legitimate publishing feature by placing deceptive content on a trusted platform. That distinction matters for defenders, because the risk lies less in software compromise and more in the speed with which attackers can create, modify and reissue pages that borrow the credibility of widely used services.
The case also highlights the limits of traditional brand-protection methods. Takedown requests can remove individual repositories, but modular hosting and duplicated page structures allow operators to relaunch quickly. Financial institutions now need continuous monitoring for naming patterns that combine their brands with support, cancellation, verification or mobile-banking terms, especially on free hosting and code-sharing platforms.
Security teams are being urged to watch for unexpected outbound browser traffic to api. sheetbest. com from banking-session contexts, as well as suspicious form submissions from pages outside authorised domains. Behavioural detection, transaction alerts, device fingerprinting and stronger customer authentication can help reduce losses when credentials have already been captured.
For customers, the warning signs remain familiar but harder to spot. A banking page reached through a message link, a request for full card details, or a demand to re-enter online-banking credentials outside a bank’s official app or domain should be treated as suspicious. The presence of HTTPS or a recognisable logo is no longer enough to establish trust.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
