Do Son 
Image: Group-IB
At a glance
| Actor / group | Unattributed, financially motivated operators (multiple GitHub accounts) |
| Activity type | Multi-brand bank phishing and credential harvesting via a serverless kit |
| Targets / victims | At least 12 financial institutions in Mexico (local and foreign banks) |
| Scale | 100+ domains; active for roughly three years; reusable modular kit |
| Law-enforcement status | Reported to GitHub; no arrests reported |
| Source | Group-IB |
TL;DR
Group-IB has uncovered the GitBait phishing campaign, a long-running operation against Mexico’s financial sector. The operators abuse free GitHub Pages hosting and the SheetBest API to steal banking credentials. The campaign has hit at least 12 institutions and stayed active for roughly three years.
What happened
The operation runs on a serverless model. Attackers host cloned bank login pages on GitHub Pages. Each page mimics a real Mexican bank’s portal. Victims likely arrive through SMS, messaging apps, email, or social media. A fraudulent link leads straight to the lookalike page. After the victim enters their details, a script intercepts the form. As Group-IB notes, the kit “abuses GitHub Pages for hosting and the SheetBest API for credential exfiltration.” The stolen data then flows into attacker-controlled Google Sheets in real time. A fake verification screen appears next to lower suspicion.
The pages also carry crafted link-preview metadata. That makes a shared URL show a trusted bank logo inside chat apps. Researchers found a robots “noindex” tag too, so search engines skip the page. As the report puts it, the page is “designed to be reached exclusively via a direct link delivered to the victim.” One institution’s pages used a Telegram bot instead, though that channel is now inactive.
Who is behind it
Group-IB has not tied the GitBait phishing campaign to a named group. The researchers describe financially motivated operators working together. Commit history points to several accounts that maintained the kit over many months. Some accounts appear linked, which suggests shared control. No arrests have been reported, and any guilt remains unproven. The kit even ships a campaign selector panel for desktop and mobile, which points to a deliberate, reusable design.
Impact and scale
The numbers show real persistence. Group-IB counted over 100 domains tied to the campaign. Each domain hosts multiple phishing pages under different paths. The kit lets operators target any of the 12 banks from one panel. The pages harvest usernames, customer IDs, passwords, and card data. Operators also rotate the SheetBest endpoint through new commits, keeping the theft channel fresh. The same backend served forms across many brands, linking the pages to one operation. By routing theft through SheetBest, the actors skip a dedicated server. As the report puts it, they operate “entirely within the boundaries of legitimate cloud services.” That choice complicates takedowns and attribution alike.
How to stay protected
This GitBait phishing campaign shows where bank fraud is heading. Blocklists of bad domains will not catch a kit that hides on GitHub. So banks need behavioral detection and brand-impersonation monitoring. Security teams can hunt for GitHub Pages repositories that mimic their brand, and watch for unexpected browser POSTs to the SheetBest API. Customers should treat unexpected banking links with caution. Type the bank’s address by hand instead of tapping a link. Enable multi-factor authentication where available, and report suspicious messages to your bank quickly. Group-IB reported every identified page and domain to GitHub for takedown. For the full technical breakdown, read Group-IB’s analysis of the GitBait operation. Continuous monitoring and intelligence sharing remain the best defense.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
