Threat actors are using a new
phishing-as-a-service (Phaas) kit that includes a seemingly harmless HTML file as the primary phishing page and an iframe that acts as the gateway to the secondary phishing page, an approach that
Barracuda Networks security researchers said they hadn’t seen before.
The cybercriminals behind the kit – dubbed “GhostFrame” – are using a number of techniques designed to enable it to evade security tools and make it more difficult for security teams and MSSPs to detect and protect against.
GhostFrame is effective and getting heavy use. Barracuda researchers first detected it in September. By this month, bad actors have used the kit to launch more than 1 million attacks.
“While the abuse of iframes is not unusual in phishing, this is the first time Barracuda has seen an entire phishing framework built around this technique,”
Sreyas Shetty, associate threat analyst at Barracuda,
wrote in a report this week.
Keeper Security CISO
Shane Barney told MSSP Alert that “GhostFrame represents a meaningful evolution in phishing-as-a-service. Its use of hidden iframes isn’t new, but the full framework built around dynamic subdomains, anti-analysis features, and modular payload swapping is. This makes the kit far more adaptable and significantly harder for traditional defenses to detect.”
Threat Comes with the iframe
According to Shetty, the primary phishing page that users see doesn’t contain any phishing elements, though it does include obfuscation techniques to hide its nature. The HTML file also uses dynamic code, generating new subdomain names for each target.
However, in the page is an iframe, through which victims are moved to the secondary – and malicious – phishing page.
“This secondary page hosts the actual phishing components,” he wrote. “Even here, the attackers have hidden the credential-capturing forms inside an image-streaming feature designed for very large files (binary large objects), making it difficult for static scanners, which typically search for hard-coded phishing forms, to detect the attack.”
The content in the phishing emails comes with varying topics, from fake business deals to spoofed HR updates, with the intent of enticing targets to click on malicious links or download dangerous files. Subject lines to the GhostPage mails include “Secure Contract & Proposal Notification,” “Annual Review Reminder,” “Invoice Attached,” and “Password Reset Request.”
Obfuscation and Evasion
There are two variants of the source code that are being used at the same time, one that is obfuscated to make it difficult to read and analyze, and another that isn’t obfuscated and is easily understood. The latter code was seen more in earlier attacks.
The GhostPage kit also includes a script that interferes with attempts to inspect it, including preventing right-clicking the mouse, blocking the F12 key on the keyboard, which is used for developer tools, and not enabling keyboard shortcuts, which are often used by security analysts to see the source code, save a page, or open developer tools.
“The script also blocks the Enter key, making it hard for users or analysts to inspect or save the web page,” Barracuda’s Shetty wrote. “By targeting both mouse clicks and main context menu access, the phishing kit ensures there is no way to get to the context menu.”
The phishing kit creates a different and random subdomain every time a person visits the site and hides the malicious iframe, activating it only after the loader gives the OK. Hosting the phishing page on continuously changing subdomains is another technique to make it difficult for security systems to detect and block the attack, he wrote.
'More Effective, Difficult to Detect'
There are other steps GhostFrame’s developers included to make the framework both more effective and difficult to detect. The fake content inside the iframe can tell the loader pages to make changes, including changing the parent’s title page to impersonate trusted services, using a website’s icon to make it look more authentic, and rotating subdomains during a session to hide the attack.
There’s also a fallback iframe, which ensures the phishing attack can still work if the JavaScript fails or is blocked, and can display exact copies of login pages from the likes of Microsoft 365 or Google as images inside the iframe, making the fake login page look more convincing.
Complexity a Challenge for MSSPs, Enterprises
Lionel Litty, CISO and chief security architect for
Menlo Security, told MSSP Alert that modern web applications are complex, and that even pages that seem simple will make hundreds of requests from dozens of sources out of view of the user that load scripts and iframes or create WebSockets.
“Trying to determine if a page is malicious by looking at a single request's URL, or response payload, as network security devices do, is extremely challenging,” Litty said. “Attackers have figured that out, obfuscating their code and splitting functionality between multiple components fetched separately from rotating domains.”
That complexity is also a challenge for MSSPs. They need tools that give a more holistic view of web activity, he said. They need to know what happened in a user’s browser and what the user saw after the browser fetched and reconstructed all the content during a phishing attack.
“For MSSPs, GhostFrame underscores how quickly phishing kits are becoming automated platforms rather than simple email lures,” Keeper’s Barney said. “As these kits get better at bypassing detection, MSSPs must double down on identity security as a foundational service offering. Credential-centric attacks are accelerating, and most clients cannot manage that complexity alone.”
