Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Home/Threats/New Phishing Campaign Steals Philippine Bank Credentials
Threats

New Phishing Campaign Steals Philippine Bank Credentials

Key Takeaways A sophisticated phishing campaign, dubbed PHISLES, has been actively targeting Philippine banking customers since early 2024. Attackers are leveraging trusted online platforms and...

Emy Elsamnoudy
Emy Elsamnoudy
April 3, 2026 4 Min Read
30 0

Key Takeaways

  • A sophisticated phishing campaign, dubbed PHISLES, has been actively targeting Philippine banking customers since early 2024.
  • Attackers are leveraging trusted online platforms and compromised email accounts to deliver convincing phishing lures, bypassing traditional security filters.
  • The campaign aims to steal banking credentials and one-time passwords, enabling real-time fund transfers within minutes of compromise.
  • Over 900 malicious links have been distributed, affecting more than 400 individuals and impersonating at least three major Philippine banks.

A persistent and elaborate phishing operation has been observed actively targeting banking customers across the Philippines since early 2024. This ongoing campaign, identified by security researchers, is designed to illicitly acquire user credentials and one-time passwords (OTPs), subsequently enabling rapid account depletion.

Table Of Content

  • Key Takeaways
  • Targeting End-Users with Deceptive Lures
  • How Attackers Used Trusted Platforms to Avoid Detection
  • What You Should Do

The perpetrators behind this scheme are employing advanced tactics, moving beyond rudimentary phishing attempts. They exploit the inherent trust in widely recognized internet platforms to mask their malicious intent, facilitating the theft of sensitive banking information and swiftly draining victim accounts.

Targeting End-Users with Deceptive Lures

Unlike attacks directly aimed at financial institutions, this campaign focuses on individual online banking users. Victims typically receive fraudulent emails that convincingly mimic legitimate communications from their banks. These messages often contain urgent warnings about unauthorized transactions or suspicious login attempts from unfamiliar devices.

Such emails are crafted to compel recipients to click an embedded link and input their banking credentials, a classic phishing maneuver executed with a high degree of authenticity. Researchers at Group-IB CERT, who are tracking this operation under the designation PHISLES, confirmed its continuous activity since January 2024.

Their investigation has uncovered the distribution of over 900 malicious links, with at least three prominent Philippine banks being impersonated. From January 2024, the campaign has impacted more than 400 individuals, and it shows no signs of abating.

Once a victim submits their username, password, and OTP on a fake banking portal, the attackers initiate immediate action. Funds are often siphoned from accounts within minutes, a speed corroborated by victims who have shared evidence of these rapid thefts on social media. This campaign is meticulously engineered for real-time financial fraud, designed to capture credentials and circumvent multi-factor authentication before any security alerts can be triggered.

A critical element contributing to the campaign’s success is the use of compromised email accounts for message delivery. The phishing emails originate from legitimate, though hijacked, addresses obtained from “combolists” – databases of stolen credentials frequently traded on dark web forums and Telegram channels. This tactic enhances the perceived trustworthiness of the phishing emails, allowing them to bypass conventional spam and email security filters.

How Attackers Used Trusted Platforms to Avoid Detection

The innovative delivery methods employed in this campaign represent a significant threat evolution. Around mid-2025, the attackers shifted from directly embedding phishing links in emails. Instead, they began redirecting victims through a series of reputable online platforms before ultimately landing them on a fraudulent banking page. This sophisticated strategy aims to evade Secure Email Gateways (SEGs), which are designed to block suspicious or low-reputation links, by ensuring that all visible links appear entirely legitimate.

Various legitimate and trusted services are abused (Source - Group-IB)
Various legitimate and trusted services are abused (Source – Group-IB)

Several widely used platforms have been exploited in this manner. Google Business Profile links were utilized due to their association with Google’s trusted domain reputation, which typically results in them being overlooked by security systems. Phishing URLs were also concealed within Google’s AMP CDN (cdn.ampproject.org), making the displayed link appear as a legitimate Google address.

Furthermore, URL shorteners such as loom.ly and shorturl.at were employed to mask the malicious final destinations behind innocuous-looking links. Google Cloud Workstations were leveraged to create temporary redirectors that boasted valid SSL certificates, further enhancing their deceptive appearance.

Cloudflare-managed domains, specifically workers.dev and pages.dev, were also extensively abused. These platforms offer automatic HTTPS and global routing, allowing attackers to quickly generate new subdomains as older ones were identified and blocked.

Observed phishing pages on Cloudflare-managed domains (Source - Group-IB)
Observed phishing pages on Cloudflare-managed domains (Source – Group-IB)

Perhaps the most concerning discovery was the hijacking of a legitimate Philippine educational institution’s domain. Attackers established hidden subdomains, procured valid SSL certificates, and rerouted all traffic to their own servers without disrupting the school’s regular operations, demonstrating a high level of stealth and sophistication.

What You Should Do

  • For Banking Customers:
    • Exercise extreme caution with urgent emails, especially those requesting login credentials.
    • Always verify the full URL of any link before entering sensitive information. Hover over links to reveal the actual destination, and look for discrepancies.
    • Avoid reusing passwords across multiple online services. Use strong, unique passwords for each account.
    • Regularly update your banking credentials.
    • Enable multi-factor authentication (MFA) on all banking and critical online accounts.
  • For Financial Institutions:
    • Proactively educate customers about active phishing and scam campaigns through official communication channels.
    • Configure security systems to detect unauthorized Referer headers from cloud subdomains when banking assets (e.g., images, scripts) are loaded externally.
  • For Educational Institutions and Domain Owners:
    • Enforce multi-factor authentication for all domain registrar accounts.
    • Regularly audit DNS records to identify and remove any unauthorized subdomains pointing to unknown or external IP addresses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerphishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Axios npm Compromise: Social Engineering Led to Critical Vulnerability

Next Post

Kimsuky Uses Malicious LNK Files for Python Backdoor in Multi-Stage Attack

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us