GitBait Phishing Kit Abuses GitHub Pages and SheetBest API to Target Mexican Banks
A new phishing kit named GitBait leverages GitHub Pages and the SheetBest API to steal credentials from Mexican banking customers, evading detection by abusing legitimate cloud services.
A novel phishing kit dubbed GitBait is targeting Mexican banking customers by abusing GitHub Pages and the SheetBest API to host convincing login pages and exfiltrate stolen credentials. Discovered by security researchers, the kit creates realistic phishing pages for multiple Mexican banks, hosted on GitHub Pages, a free web hosting service provided by GitHub. The use of legitimate cloud infrastructure makes the phishing sites harder to block and more trustworthy to unsuspecting victims.
The attack chain begins when victims receive phishing emails or messages directing them to a GitHub Pages URL that mimics their bank's login portal. The pages are designed to closely replicate the official banking websites, complete with logos and branding. Once the victim enters their credentials, the stolen data is sent via the SheetBest API to a Google Sheets spreadsheet controlled by the attacker. SheetBest is a legitimate service that allows users to send data from web forms to Google Sheets, and its abuse here provides a simple, low-cost exfiltration channel.
GitBait represents a growing trend of supply-chain abuse, where attackers leverage trusted cloud services to host malicious infrastructure. By using GitHub Pages, the phishing sites benefit from GitHub's reputation and HTTPS certificates, bypassing many traditional security filters. Similarly, using SheetBest and Google Sheets for data exfiltration allows attackers to blend in with legitimate traffic, making detection by network monitoring tools more difficult.
The campaign specifically targets Mexican banks, indicating a focused geographic and financial motivation. Researchers have identified multiple phishing pages for different banks, suggesting the kit is being actively used or sold to other threat actors. The modular nature of GitBait could allow attackers to easily adapt it to target other regions or institutions.
GitHub has been notified of the malicious pages and has taken steps to remove them, but the ease of creating new accounts means the campaign can quickly resurface. Users are advised to verify URLs carefully, enable multi-factor authentication, and avoid clicking on unsolicited links. Organizations should consider blocking or monitoring traffic to known phishing hosting services.
The GitBait kit highlights the evolving sophistication of phishing operations, which increasingly rely on legitimate platforms to evade detection. As cloud services become more integrated into everyday workflows, attackers will continue to exploit them for malicious purposes, requiring both users and security teams to remain vigilant.
Group-IB's full report, shared with Cyber Security News, reveals the campaign has been active for over three years, targeting at least 24 financial institutions in Mexico using over 200 domains. The serverless operation routes stolen credentials through the SheetBest API to attacker-controlled Google Sheets or, in some cases, to a Telegram bot with hardcoded tokens. The modular phishing templates use directory paths like 'cancelacion' and 'soporte' to evade detection and complicate takedown efforts.