A long-running phishing operation has been stealing banking credentials from customers of Mexican financial institutions without running any server infrastructure of its own, instead hiding inside trusted cloud platforms.
New analysis from Group-IB detailed the campaign, which it called GitBait, and tied it to attacks on at least 12 financial institutions in Mexico over roughly three years.
Instead of a dedicated backend, GitBait hosted its fake bank pages on GitHub Pages and funneled stolen logins through SheetBest, a legitimate service that writes data straight into Google Sheets, leaving little infrastructure to seize.
Group-IB counted more than 100 GitHub-hosted domains tied to the campaign, each serving several phishing pages, and said it has reported all of them to GitHub.
Read more on large-scale phishing kits: Quantum Route Redirect Phishing Kit Democratizes Cyber-Attacks
Inside a Serverless Operation
At the center was a modular phishing kit with a desktop-and-mobile operator panel that let attackers pick a target bank and generate a matching fake page.
Each GitHub repository held duplicated pages, so any page that was removed could be redeployed quickly.
Victims landed on a page cloning a bank’s branding, then a form that captured usernames, customer IDs, passwords and card details. A script grabbed the entry, shipped it to SheetBest, then showed a fake verification screen to maintain user trust.
Group-IB could not confirm how victims were lured, but the evidence pointed to direct messages. The phishing pages carried crafted Open Graph tags that rendered a convincing bank-branded preview card when a link was shared on WhatsApp, Telegram or SMS, while a noindex tag kept them out of search results.
Commit records on one repository revealed an operation under active upkeep:
-
66 commits, indicating continuous development
-
Three contributor accounts, some sharing an email address
-
Automated publishing via Jekyll and GitHub Actions
-
An endpoint rotation by an operator account still active at the time of analysis
The pages also pulled obfuscated JavaScript from randomized paths, letting operators swap payloads without altering the page and frustrating static analysis.
Beyond Blocklists
Group-IB framed GitBait as part of a broader shift in which criminals lean on everyday cloud services and ready-made kits rather than custom malware and self-hosted servers, echoing the rise of phishing-as-a-service platforms seen in the last few years.
Because the operation relied on trusted domains, the firm warned that blocklists of known-bad sites offer little protection.
Instead, Group-IB urged banks to watch GitHub for brand abuse and flag unexpected traffic to services like SheetBest, leaning on behavioral detection, multi-factor authentication (MFA) and transaction alerts.
