A phishing operation is targeting customers of multiple Mexican banks by hosting fake login pages on GitHub’s free web service and funneling stolen credentials through a single cloud pipeline, researchers said.
The campaign, named GitBait, uses GitHub Pages to serve obfuscated login forms that mimic several bank brands at once, according to research Tuesday by Group-IB. Stolen usernames and passwords are exfiltrated to a central collection point using SheetBest, a service that turns a Google Sheet into a programmable interface. The setup lets one operator run many bank lures from shared infrastructure and swap targets quickly.
Hosting phishing pages on GitHub is a deliberate evasion move, according to Group-IB. Pages served from a trusted developer domain are slower to land on blocklists and harder for filters to flag than pages on freshly registered domains. Group-IB describes the infrastructure as built to scale and persist rather than to run a single burst.
Financial institutions remain among the most-targeted sectors in phishing, a ranking the Anti-Phishing Working Group has held steady across its quarterly Phishing Activity Trends reports. The GitBait approach fits a broader shift in which attackers lean on legitimate hosting, code and automation platforms to lower cost and dodge takedowns. The same logic drives the credential and account-fraud economy that follows a successful theft.
For Mexican account holders, the practical risk is straightforward: a convincing bank login page on a credible-looking address, followed by drained accounts or resold credentials. Group-IB recommends defenders watch for bank-brand lookalike content served from GitHub domains and monitor for credential-collection traffic to spreadsheet APIs.
The harvested credentials rarely stay with the original thief. They feed downstream fraud networks that launder access through mule accounts. The reuse of resilient, rebuilt infrastructure also echoes other persistent scam operations tracked this year.
Image by Markus Winkler from Pixabay
