New Phishing Campaign Steals Philippine Bank Credentials
Key Takeaways A sophisticated phishing campaign, dubbed PHISLES, has been actively targeting Philippine banking customers since early 2024. Attackers are leveraging trusted online platforms and...
Key Takeaways
- A sophisticated phishing campaign, dubbed PHISLES, has been actively targeting Philippine banking customers since early 2024.
- Attackers are leveraging trusted online platforms and compromised email accounts to deliver convincing phishing lures, bypassing traditional security filters.
- The campaign aims to steal banking credentials and one-time passwords, enabling real-time fund transfers within minutes of compromise.
- Over 900 malicious links have been distributed, affecting more than 400 individuals and impersonating at least three major Philippine banks.
A persistent and elaborate phishing operation has been observed actively targeting banking customers across the Philippines since early 2024. This ongoing campaign, identified by security researchers, is designed to illicitly acquire user credentials and one-time passwords (OTPs), subsequently enabling rapid account depletion.
Table Of Content
The perpetrators behind this scheme are employing advanced tactics, moving beyond rudimentary phishing attempts. They exploit the inherent trust in widely recognized internet platforms to mask their malicious intent, facilitating the theft of sensitive banking information and swiftly draining victim accounts.
Targeting End-Users with Deceptive Lures
Unlike attacks directly aimed at financial institutions, this campaign focuses on individual online banking users. Victims typically receive fraudulent emails that convincingly mimic legitimate communications from their banks. These messages often contain urgent warnings about unauthorized transactions or suspicious login attempts from unfamiliar devices.
Such emails are crafted to compel recipients to click an embedded link and input their banking credentials, a classic phishing maneuver executed with a high degree of authenticity. Researchers at Group-IB CERT, who are tracking this operation under the designation PHISLES, confirmed its continuous activity since January 2024.
Their investigation has uncovered the distribution of over 900 malicious links, with at least three prominent Philippine banks being impersonated. From January 2024, the campaign has impacted more than 400 individuals, and it shows no signs of abating.
Once a victim submits their username, password, and OTP on a fake banking portal, the attackers initiate immediate action. Funds are often siphoned from accounts within minutes, a speed corroborated by victims who have shared evidence of these rapid thefts on social media. This campaign is meticulously engineered for real-time financial fraud, designed to capture credentials and circumvent multi-factor authentication before any security alerts can be triggered.
A critical element contributing to the campaign’s success is the use of compromised email accounts for message delivery. The phishing emails originate from legitimate, though hijacked, addresses obtained from “combolists” – databases of stolen credentials frequently traded on dark web forums and Telegram channels. This tactic enhances the perceived trustworthiness of the phishing emails, allowing them to bypass conventional spam and email security filters.
How Attackers Used Trusted Platforms to Avoid Detection
The innovative delivery methods employed in this campaign represent a significant threat evolution. Around mid-2025, the attackers shifted from directly embedding phishing links in emails. Instead, they began redirecting victims through a series of reputable online platforms before ultimately landing them on a fraudulent banking page. This sophisticated strategy aims to evade Secure Email Gateways (SEGs), which are designed to block suspicious or low-reputation links, by ensuring that all visible links appear entirely legitimate.

Several widely used platforms have been exploited in this manner. Google Business Profile links were utilized due to their association with Google’s trusted domain reputation, which typically results in them being overlooked by security systems. Phishing URLs were also concealed within Google’s AMP CDN (cdn.ampproject.org), making the displayed link appear as a legitimate Google address.
Furthermore, URL shorteners such as loom.ly and shorturl.at were employed to mask the malicious final destinations behind innocuous-looking links. Google Cloud Workstations were leveraged to create temporary redirectors that boasted valid SSL certificates, further enhancing their deceptive appearance.
Cloudflare-managed domains, specifically workers.dev and pages.dev, were also extensively abused. These platforms offer automatic HTTPS and global routing, allowing attackers to quickly generate new subdomains as older ones were identified and blocked.

Perhaps the most concerning discovery was the hijacking of a legitimate Philippine educational institution’s domain. Attackers established hidden subdomains, procured valid SSL certificates, and rerouted all traffic to their own servers without disrupting the school’s regular operations, demonstrating a high level of stealth and sophistication.
What You Should Do
- For Banking Customers:
- Exercise extreme caution with urgent emails, especially those requesting login credentials.
- Always verify the full URL of any link before entering sensitive information. Hover over links to reveal the actual destination, and look for discrepancies.
- Avoid reusing passwords across multiple online services. Use strong, unique passwords for each account.
- Regularly update your banking credentials.
- Enable multi-factor authentication (MFA) on all banking and critical online accounts.
- For Financial Institutions:
- Proactively educate customers about active phishing and scam campaigns through official communication channels.
- Configure security systems to detect unauthorized Referer headers from cloud subdomains when banking assets (e.g., images, scripts) are loaded externally.
- For Educational Institutions and Domain Owners:
- Enforce multi-factor authentication for all domain registrar accounts.
- Regularly audit DNS records to identify and remove any unauthorized subdomains pointing to unknown or external IP addresses.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.