Skip to main content

Netskope Reports Surge in Phishing on Glitch

August 20, 2025

Netskope Threat Labs reported a rise in phishing activities specifically aimed at members of Navy Federal Credit Union, affecting over 3,000 users across 830 organizations. The assessed campaigns took place between January and April 2025, featuring phishing sites hosted on the Glitch platform.

Phishing Activity Trends

Traffic to phishing sites on Glitch has reportedly tripled during the observation period. The primary aim of many campaigns is to capture sensitive login credentials from users associated with Navy Federal Credit Union.

Phishing operations utilize Telegram both for exfiltration of data and to navigate around Multifactor Authentication (MFA) measures. Additionally, the use of custom CAPTCHA tests complicates the detection of these phishing efforts, impeding the functionality of static scanners.

Exploitation of Glitch

The Glitch platform offers users the ability to create and host web applications via a web browser, which can be exploited to support phishing campaigns. The ease and cost-efficiency of hosting static sites on Glitch are particularly appealing to attackers.

Attackers take advantage of Glitch’s features to set up numerous phishing pages seamlessly, each with distinct subdomains, allowing for anonymous operations.

Targeting Navy Federal Credit Union

The phishing efforts primarily focus on acquiring account credentials from Navy Federal Credit Union members. Attackers employ JavaScript to silently collect user details such as Internet Protocol (IP) addresses, enhancing their targeting capabilities.

Additionally, they induce users to submit one-time passwords, thereby gaining access to accounts. This technique includes using deceptive prompts during the login process to extract confidential information.

Deceptive CAPTCHA Usage

Some phishing schemes utilize fake CAPTCHAs to disguise their intentions. Netskope has identified this tactic as increasingly common in phishing and malware campaigns.

This façade can create a misleading sense of security, causing victims to share sensitive information while they are on fraudulent websites.

Telegram for Data Collection

Certain phishing operations leverage Telegram to assemble stolen credentials and implement bypass sequences using one-time passwords. This method not only aids in credential theft but also circumvents existing security measures.

Victims may be misled into believing their information is being processed legitimately, as fake confirmation messages are often incorporated into these phishing schemes.

Conclusion

Netskope Threat Labs continues to observe changes in phishing tactics, especially those targeting customers of financial institutions. As methods involving Telegram and deceptive CAPTCHA progress, the need for vigilance against evolving phishing attempts is underscored. Netskope remains engaged in monitoring these developments.

Disclosure

  • Indicators of Compromise (IOC) (IOCs) for this campaign have been submitted to Glitch.

Data Analysis

The findings in this report are based on anonymized usage data obtained through the Netskope Security Cloud from participating organizations.

IOCs

All IOCs linked to this campaign can be found in the Netskope GitHub repository.

Related Perspectives