Ddos 
Image: Netskope
From January to April 2025, Netskope Threat Labs uncovered a significant spike in phishing campaigns abusing the Glitch web development platform, marking a concerning escalation in cloud-hosted threats. According to the researchers, “traffic to phishing pages hosted on Glitch has more than tripled, increasing 3.32x” during the first four months of 2025.
The most heavily targeted group in these campaigns are members of the Navy Federal Credit Union. Attackers begin by luring victims to a Glitch-hosted phishing page and requesting their username and password. Behind the scenes, the phishing kits silently collect geolocation data such as public IP addresses, countries, and cities using services like ipify and ipinfo.
After capturing login credentials, the attackers escalate their efforts by requesting a one-time password (OTP), which is often sent to the victim’s phone as part of multi-factor authentication (MFA). Once submitted, this OTP is immediately exfiltrated to the attackers via Telegram Bot API. Netskope states, “attackers successfully circumvented multi-factor authentication using Telegram,” enabling full unauthorized access to user accounts.
A particularly cunning feature of these phishing campaigns is the use of fake CAPTCHA gates to bypass static threat scanners. Victims encounter what appears to be a standard “I’m not a robot” checkbox, but it’s merely a façade. Upon interaction, a scripted loader animation displays, and the victim is silently redirected to a phishing page. “The script replaces the checkbox with a spinning loader to create the illusion of a real CAPTCHA test,” Netskope explained.
These deceptive CAPTCHAs not only mislead human users but also help attackers evade automated detection by hiding the malicious payload behind a conditional client-side interaction.
Half of the Glitch-hosted phishing operations leveraged Telegram to collect stolen credentials and OTPs. Telegram has increasingly become a go-to infrastructure for cybercriminals, due to its encryption, speed, and ease of integration. Netskope warns that attackers are “not only using Telegram to collect credentials, but also to obtain the victim’s one-time password (OTP),” effectively dismantling MFA barriers.
In some cases, phishing pages mimic payment gateways to harvest credit card numbers and phone numbers, then immediately prompt the victim for an OTP. To avoid raising suspicion, the sites display fake confirmation screens that falsely reassure the victim of a successful transaction.
Glitch, which provides developers with free hosting and instant web deployment capabilities, has inadvertently become a fertile ground for phishing. Each project receives a unique subdomain of the format <projectname-projectname-projectname.glitch[.]me>, allowing attackers to host persistent, customized phishing pages. The “Remix” feature lets cybercriminals quickly clone and deploy new versions of these sites — a process that takes minutes and evades domain blacklists.
As Netskope explains, “Attackers abuse Glitch’s features to host their phishing pages for free across multiple projects,” making the platform an attractive option for low-budget yet effective attacks.
Users are advised to avoid entering sensitive information on unfamiliar subdomains, especially those following the pattern mentioned by Netskope. Organizations, particularly in the financial sector, should bolster defenses against phishing pages hosted on unconventional platforms and educate users about telltale signs such as fake CAPTCHAs and OTP prompts.
Related Posts:
- Firefox Fixes Nvidia Glitches in New 139.0.1 Update!
- Indian Government Portal Exposes Residents’ Aadhaar Details and Fingerprints
- Europol Cracks Down on European Document Forgery and Smuggling Ring
- Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
- ENISA Calls for Urgent Action as EU Cyberattacks Reach Record High
Donate