Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

GitBait phishing campaign targeting Mexican banks

Campaign
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

A long-running GitBait phishing campaign is stealing banking credentials from customers of Mexican financial institutions, using GitHub Pages and SheetBest to hide its infrastructure and complicate takedown. The operation has hit at least 12 institutions over roughly three years and relies on cloned bank pages plus cloud-based data forwarding. Its serverless design reduces seizure opportunities while increasing the risk of credential theft and downstream account abuse.

Related Happenings

Sniper Dz MENA fake Facebook phishing and monetization campaign

Campaign
H score30 First: 15.06.2026 09:30 Last: 15.06.2026 09:30 Sources 1

About this happening: A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...

Open Happening

FBI takedown of Outsider Enterprise phishing service

Law Enforcement
H score63 First: 14.06.2026 17:36 Last: 14.06.2026 17:36 Sources 1

About this happening: The **FBI** and partners **dismantled** **Outsider Enterprise**, a **phishing-as-a-service** operation tied to **thousands of phishing websites** and large-scale credential theft....

Open Happening

NFCShare fake banking-app update phishing campaign

Campaign
H score40 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...

Open Happening

AccountDumpling Google AppSheet Facebook phishing campaign

Campaign
H score33 First: 01.05.2026 21:09 Last: 01.05.2026 21:09 Sources 1

About this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score44 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Timeline

  1. 17.06.2026 17:00 2 articles · 1h ago

    GitBait steals banking credentials from Mexican financial institutions

    Initial Disclosure

    Group-IB identified GitBait as a long-running phishing operation targeting customers of Mexican financial institutions and linked it to at least 12 institutions over roughly three years. The campaign hosted fake bank pages on GitHub Pages, forwarded stolen logins through SheetBest, and used duplicated pages, Open Graph previews, noindex tags, randomized JavaScript paths and GitHub Actions automation to reduce takedown risk.

    Show sources
    Open in new tab