Netskope Highlights Phishing Threats on Glitch

Netskope Threat Labs reported a significant increase in phishing activity, specifically targeting members of Navy Federal Credit Union, with over 830 organizations and 3,000 users affected. The phishing campaigns, tracked from January to April 2025, prominently feature pages hosted on the Glitch platform.

Key findings

Netskope observed that phishing sites on Glitch have seen traffic triple during the reported period. Many campaigns aimed at obtaining sensitive login credentials primarily focus on Navy Federal Credit Union members.

A substantial portion of these phishing operations employs Telegram for data exfiltration and bypassing Multifactor Authentication (MFA) protocols. Additionally, the presence of custom CAPTCHA tests further complicates detection efforts, hindering static scanner access.

Exploitation of Glitch

Glitch enables users to easily create and host web applications directly through a browser. The platform permits hosting static sites continuously, free of charge, which are commonly exploited to launch phishing campaigns.

Attackers utilize Glitch’s functionalities to deploy multiple phishing pages quickly, each with unique subdomains. This allows for the rapid setup of fraudulent sites while maintaining operational anonymity.

Targets on Navy Federal Credit Union

The phishing operations mainly aim to capture usernames and passwords from Navy Federal Credit Union account holders. The attackers leverage JavaScript to silently gather additional user information, such as Internet Protocol locations, which enhances their ability to target victims effectively.

By requesting users enter a one-time password, attackers can then gain access to victims' accounts. This approach not only includes deceptive prompts during the login process but also extends to requesting confidential personal information.

Utilization of Fake CAPTCHAs

Some campaigns mask their malicious intents through the use of fabricated CAPTCHAs. This tactic is increasingly being noted by Netskope in the context of phishing and malware attempts.

The deceptive CAPTCHA creates a false sense of security, leading victims to unwittingly provide sensitive information while unwittingly navigating to the fraudulent site.

Telegram as a Channel for Data Exfiltration

Several phishing campaigns examined exploit Telegram as a means to gather stolen credentials and authenticate bypass sequences through one-time passwords. This method not only facilitates credential theft but also circumvents built-in security measures.

Victims may mistakenly believe their information is being processed legitimately, as fake confirmations are integrated within these phishing schemes.

Conclusion

Netskope Threat Labs continues to monitor this upsurge in phishing tactics, particularly those targeting financial institution customers. With Telegram and fake CAPTCHA mechanisms proving effective in data collection, it is clear that phishing attempts persist in evolving methodologies. Continued vigilance is necessary as Netskope tracks the developments in these ongoing campaigns.

Disclosure

• Indicators of Compromise (IOC) (IOCs) related to this campaign have been submitted to Glitch.

Data Analysis

The assessments provided in this report are derived from anonymized usage data acquired through the Netskope Security Cloud platform from participating customer organizations.

IOCs

All relevant IOCs connected to this campaign are accessible via the Netskope GitHub repository.