Hackers Abuse Trusted Platforms to Steal Bank Credentials From Philippine Users

A coordinated phishing campaign has been quietly targeting banking customers across the Philippines since early 2024, and it remains active today.

The attackers are not relying on crude tricks — they are hiding behind widely trusted internet platforms to steal banking credentials and one-time passwords, then using them to drain victims’ accounts within minutes.

The campaign targets ordinary people who use online banking, not the financial institutions directly. Victims receive emails that appear to come from a legitimate sender, warning them about an unauthorized transaction or a suspicious login from an unknown device.

These messages push the recipient to click a link and enter their banking details, a classic phishing approach that looks entirely convincing at first glance.

Group-IB CERT researchers identified this phishing operation, which they track under the threat actor label PHISLES, and confirmed it has been running continuously since January 2024.

Their investigation found that over 900 malicious links had been distributed to potential victims, with at least three major Philippine banks being impersonated.

More than 400 people were confirmed affected between January 2024 and January 2026, with the campaign still ongoing.

Once a victim enters their username, password, and OTP into a fake banking page, the attackers act immediately. Funds are withdrawn within minutes, as confirmed by victims who shared screenshots on social media showing the speed of the theft.

The campaign is engineered for real-time financial fraud — designed to capture credentials and bypass multi-factor authentication before any alert can be triggered.

What gives this campaign its staying power is the use of compromised email accounts to deliver phishing messages.

The senders were not fake addresses — they were real accounts sourced from combolists, databases of stolen credentials freely traded on dark web forums and Telegram channels.

This made the phishing emails appear more trustworthy and helped them slip past spam and email security filters undetected.

How Attackers Used Trusted Platforms to Avoid Detection

The delivery mechanism in this campaign is where the real danger lies. Around mid-2025, the attackers stopped embedding phishing links directly inside emails.

Instead, they began routing victims through chains of well-known platforms before landing them on a fake banking page. This strategy was designed to fool Secure Email Gateways — security tools that block suspicious or low-reputation links — by making every visible link look completely legitimate.

Several platforms were specifically abused in this campaign. Google Business Profile links were used because they carry Google’s trusted domain reputation and are rarely flagged.

Phishing URLs were also wrapped inside Google’s AMP CDN (cdn.ampproject.org), making the visible link appear as a Google address.

URL shorteners like loom.ly and shorturl.at hid suspicious destinations behind clean links, while Google Cloud Workstations created temporary redirectors with valid SSL certificates.

Cloudflare-managed domains, specifically workers.dev and pages.dev, were also heavily abused. These platforms provide automatic HTTPS and global routing, and attackers could instantly generate new subdomains whenever older ones were blocked.

The most alarming discovery was the hijacking of a legitimate Philippine educational institution’s domain. Attackers created hidden subdomains, obtained valid SSL certificates, and pointed all traffic to their own servers — without disrupting the school’s normal operations.

Banking customers should treat all urgent emails with skepticism and always verify the full URL before entering any login details. They should avoid reusing the same password across different services and update credentials regularly, while enabling multi-factor authentication on all accounts.

Financial institutions should proactively inform customers about active scam campaigns through official channels. Security teams should configure systems to detect unauthorized Referer headers from cloud subdomains when banking assets such as images or scripts are loaded externally.

Educational institutions should enforce multi-factor authentication on all domain registrar accounts and regularly audit DNS records to detect and remove unauthorized subdomains pointing to unknown or external IP addresses.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.