GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions

A sophisticated phishing campaign called “GitBait” has been caught targeting Mexico’s financial sector with a level of precision rarely seen in credential-theft operations.

The campaign abuses GitHub Pages, a widely trusted free hosting service, to deliver fake banking portals that look nearly identical to the real thing.

Victims who land on these pages are tricked into handing over their login credentials, payment card details, and other sensitive information without ever suspecting anything is wrong.

What makes GitBait particularly alarming is how long it has been running. Historical infrastructure tracking suggests the campaign has been active for over three years, quietly evolving and expanding its target list the entire time.

The operation has targeted at least 24 financial institutions in Mexico, including both local banks and foreign institutions with a presence in the country.

Analysts at Group-IB identified the campaign and noted it is built on a fully serverless architecture, routing stolen credentials through SheetBest, a third-party API service, directly into attacker-controlled Google Sheets in real time.

Group-IB said in a report shared with Cyber Security News (CSN) that the infrastructure behind GitBait is modular, allowing threat actors to swap phishing templates and target new institutions without rebuilding their setup from scratch.

Over 200 domains have been tied to this campaign, each hosting multiple phishing pages under directory paths such as “cancelacion,” “soporte,” and “mbw,” which mimic legitimate banking service categories.

These paths also help the operation evade automated detection systems that rely on known malicious domain lists.

The phishing pages are optimized for both desktop and mobile screens, reflecting a deliberate effort to maximize victim interaction across all devices. The credential harvesting scheme operates without a traditional command-and-control server.

In at least one observed case, an alternative method was also used, sending victim data in real time to a Telegram bot with hardcoded tokens and chat IDs embedded in the page’s JavaScript.

Commit history across multiple GitHub repositories confirms ongoing maintenance by what appears to be a collaborative and actively managed group of operators.

GitBait Phishing Campaign Abuses GitHub Pages

The heart of the GitBait operation lies in how it exploits GitHub Pages to host phishing content. GitHub Pages carries a trusted reputation and comes with HTTPS coverage by default, meaning most automated security tools do not flag it as suspicious.

Threat actors leverage this trust to deploy phishing pages that pass standard blocklist checks while landing directly in front of their targets.

Each repository contains duplicated phishing content under different directory paths, making takedowns difficult since removing one path does not eliminate the others.

The phishing kit includes an internal campaign selector that operators use to choose which bank to impersonate and generate a matching fraudulent URL.

Impersonation landing pages replicate the visual identity, layout, and navigation of legitimate banking portals, building a false sense of trust before victims are sent to credential-harvesting forms.

Those forms collect usernames, passwords, customer IDs, and payment card details through a multi-stage flow designed to mirror a real online banking session.

Centralized Credential Theft Through SheetBest API

Once a victim submits their information, a client-side JavaScript intercepts the form submission before the browser processes it.

The stolen data is serialized into JSON and sent via a POST request to the SheetBest API, routing it directly into an attacker-controlled Google Sheet.

This serverless model eliminates the need for dedicated backend infrastructure, lowering operational costs and making attribution far more difficult.

Group-IB has reported all identified phishing pages and domains to GitHub. Financial institutions are urged to proactively monitor for GitHub Pages repositories impersonating their brand using naming patterns like “brand-soporte” or “brand-cancelacion”.

Organizations should also track unexpected outbound POST requests to api.sheetbest.com from user-facing web sessions. Implementing behavioral detection and real-time transaction alerts can protect customers even if credentials are already compromised.

Sharing threat intelligence with peers and regulators is strongly encouraged to accelerate coordinated response across the financial sector.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.