A sophisticated phishing campaign targeting Philippine banking customers demonstrates a disturbing evolution in cyber threats. Attackers are now leveraging widely trusted internet platforms to mask their malicious activities, successfully stealing bank credentials and one-time passwords (OTPs) to drain victims’ accounts rapidly. This ongoing operation, identified by Group-IB CERT researchers, has been active since January 2024, with the threat actor labeled PHISLES.
The campaign’s insidious nature lies in its ability to bypass traditional security measures by appearing legitimate. Victims are not directly targeted with crude spam emails; instead, they receive warnings about unauthorized transactions or suspicious login attempts that seem to originate from their banks. These messages, designed to evoke urgency, prompt users to click on links that lead to fake banking login pages, where their sensitive financial information is harvested.
How Attackers Abused Trusted Platforms to Steal Bank Credentials From Philippine Users
The PHISLES campaign’s effectiveness stems from its deceptive delivery method. Initially, attackers embedded malicious links directly into phishing emails. However, around mid-2025, a significant shift occurred: the scammers began routing victims through a series of legitimate and well-known online platforms before landing them on the fraudulent banking sites. This tactical pivot was specifically engineered to circumvent Secure Email Gateways (SEGs). By making each intermediary link appear harmless and reputable, the campaign effectively masked its true destination and evaded detection by security filters.
Several trusted services have been exploited in this scheme. Attackers utilized Google Business Profile links, capitalizing on their inherent trust and low rate of flagging. Furthermore, phishing Uniform Resource Locators (URLs) were cloaked within Google’s Accelerated Mobile Pages (AMP) Content Delivery Network (CDN), making the accessible link appear as a genuine Google address. URL shorteners like loom.ly and shorturl.at were employed to disguise suspicious destinations behind clean, abbreviated links. The campaign also leveraged Google Cloud Workstations to create temporary redirector services equipped with valid SSL certificates, adding another layer of legitimacy.
Cloudflare-managed domains, specifically those using the workers.dev and pages.dev subdomains, were extensively abused. These platforms offer automatic HTTPS encryption and global routing capabilities, allowing attackers to rapidly generate new subdomains whenever older ones were identified and blocked. This adaptability made the campaign exceptionally resilient.
Perhaps the most alarming aspect of this phishing operation was the hijacking of a legitimate domain belonging to a Philippine educational institution. Attackers created hidden subdomains within this already trusted domain, secured valid SSL certificates, and directed all associated traffic to their own malicious servers. Crucially, this was achieved without any visible disruption to the educational institution’s normal online operations, highlighting the sophisticated level of compromise attackers can achieve.
Group-IB CERT researchers confirmed that over 900 malicious instances were distributed, targeting users of at least three major Philippine banks. Between January 2024 and January 2026, more than 400 individuals were confirmed as victims, with the operation continuing to be active. Once a victim submitted their banking username, password, and OTP, the attackers acted with extreme speed, withdrawing funds within minutes, as evidenced by social media posts from affected individuals who documented the rapid depletion of their accounts.
This method of real-time credential harvesting and swift account draining bypasses multi-factor authentication protocols before any alerts can be effectively raised. The attackers also exploited compromised email accounts, sourced from combolists available on dark web forums and Telegram channels, to send out the phishing emails. Using legitimate, albeit stolen, sender accounts further enhanced the trustworthiness of the messages and aided in bypassing email security filters.
To mitigate such threats, banking customers are advised to approach all urgent emails with extreme caution and meticulously verify the full URL displayed in their browser before entering any login credentials. It is also crucial to avoid reusing passwords across different online services and to enable multi-factor authentication on all accounts. Financial institutions are encouraged to proactively communicate active scam campaigns to their customers through official channels. Security teams should also enhance their systems to detect unauthorized Referer headers originating from cloud subdomains when banking assets are loaded externally.
Educational institutions, like the one whose domain was exploited, should implement stringent security measures. This includes enforcing multi-factor authentication on all domain registrar accounts and conducting regular audits of DNS records to identify and remove any unauthorized subdomains that point to external or unknown IP addresses. The continued evolution of phishing tactics underscores the persistent need for vigilance from both users and institutions in the cybersecurity landscape.