Phishing Alert: Fake WeTransfer & HunCERT Pages Hosted on AWS S3 & Cloudflare Turnstile Stealing Credentials
Do Son 
Phishing URL impersonating WeTransfer | Image: CRIL
The Cyble Research and Intelligence Labs (CRIL) has exposed an active and highly targeted phishing campaign that impersonates official platforms—including Hungary’s national cybersecurity agency HunCERT and the WeTransfer file-sharing service—using a blend of deception techniques powered by the LogoKit phishing framework.
“The initial phishing link we identified mimicked the Hungary CERT login page, with the victim’s email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission,” Cyble’s report reveals.
This campaign deploys phishing pages hosted on Amazon S3 (AWS)—a tactic designed to evade detection and lend credibility:
“The phishing pages were hosted on Amazon S3 (AWS) to stay under the radar and increase credibility among potential victims.”
To further legitimize the spoofed login portals, the attackers integrated Cloudflare Turnstile, a CAPTCHA alternative, fooling users into believing the page is secure:
“The phishing pages integrate Cloudflare Turnstile to create a false sense of security and legitimacy.”
Captured credentials are silently exfiltrated to an active backend endpoint: mettcoint[.]com/js/error-200.php.
The attack makes heavy use of the LogoKit phishing kit, which dynamically personalizes phishing pages by extracting branding assets in real time:
“The target logo was extracted from the victim’s email domain using Clearbit and Google Favicon.”
This method allows attackers to automatically tailor phishing pages to targeted organizations without manual customization—enhancing believability and scalability.
Cyble’s analysis discovered additional phishing portals hosted on the same domain mettcoint[.]com, including a clone of WeTransfer’s login page:
“One of the directories contained a phishing page impersonating the WeTransfer file-sharing portal – mettcoint[.]com/css/nk/index-822929.html.”
Other targets include:
- Kina Bank (Papua New Guinea)
- The Catholic Church (USA)
- Logistics firms (Saudi Arabia)
Notably, the phishing domain is still active and undetected by VirusTotal, raising concerns over widespread ongoing credential theft:
“The domain currently has zero detections on VirusTotal… its ongoing availability and undetected status indicate that the phishing campaign is likely still active.”
Organizations and users should take the following precautions:
- Block suspicious S3 and AWS-hosted domains not directly associated with your own infrastructure.
- Educate employees on email phishing red flags, especially prefilled login forms.
- Use email security gateways with real-time link analysis and sandboxing.
- Check for abuse of Cloudflare Turnstile or similar tools in phishing content.
- Report phishing domains to threat intelligence communities and cloud service providers.
Related Posts:
- New Evasive Campaign Uses Fake CAPTCHAs to Deliver LegionLoader
- LockBit Imposter: New Ransomware Leverages AWS for Attacks
- 1.5 billion sensitive files exposed due to FTP, SMB, rsync and S3 bucket misconfiguration
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
