Attackers Target Crypto Wallets Using Codeless Webflow Phishing Pages

Netskope Threat Labs observed a surge in phishing campaigns (10x increase in traffic between April and September 2024) abusing Webflow to host or redirect to codeless phishing pages targeting crypto wallets (Coinbase, MetaMask, Phantom, Trezor, Bitbuy) and corporate webmail/Microsoft365 credentials; attackers use full-page screenshots and Webflow form/link blocks to harvest credentials and secret recovery phrases from victims, affecting over 120 organizations worldwide, and the report includes IOCs and mitigation guidance.