Listen to this Post
Threat actors are increasingly abusing the Glitch platform to host phishing campaigns, targeting over 830 organizations and 3,000+ users since January 2025. Notable victims include Navy Federal Credit Union and T-Mobile. These attacks leverage Telegram and fake CAPTCHAs to deceive victims.
Key Indicators:
- Phishing URLs follow the pattern: `
- IOCs published: Netskope Threat Report
- Original analysis: Glitch-hosted Phishing
You Should Know: How to Detect & Mitigate Glitch Phishing Attacks
1. URL Pattern Detection (Linux/Windows)
Use `grep` or PowerShell to scan logs for Glitch-hosted URLs:
Linux Command:
grep -E '([a-zA-Z0-9]+-){2}[a-zA-Z0-9]+.glitch[.]me' /var/log/nginx/access.log
Windows PowerShell:
Get-Content .\weblogs.log | Select-String -Pattern '([a-zA-Z0-9]+-){2}[a-zA-Z0-9]+.glitch[.]me'
2. Block Glitch Domains via Firewall
Add Glitch phishing domains to blocklists:
Linux (iptables):
sudo iptables -A INPUT -m string --string "glitch.me" --algo bm -j DROP
Windows (Firewall Rule via PowerShell):
New-NetFirewallRule -DisplayName "Block Glitch Phishing" -Direction Outbound -Action Block -RemoteAddress ".glitch.me"
3. Check for Telegram Phishing Links
Extract Telegram-related phishing links from network traffic:
Using `tshark` (Wireshark CLI):
tshark -r traffic.pcap -Y "http.host contains telegram"
4. Fake CAPTCHA Analysis
Detect fake CAPTCHA pages using browser developer tools:
- Check for missing Google reCAPTCHA API calls
- Look for static CAPTCHA images (not dynamically generated)
Automated Check with `curl`:
curl -sI "https://suspicious-site.glitch.me" | grep -i "content-security-policy"
(Legitimate sites often have strict CSP headers)
5. Threat Hunting with YARA Rules
Create a YARA rule to detect Glitch phishing pages:
rule Glitch_Phishing {
meta:
description = "Detects Glitch-hosted phishing pages"
strings:
$glitch_url = /[a-z0-9-]{3,}.glitch[.]me/
$fake_captcha = "captcha.js" nocase
condition:
any of them
}
What Undercode Say
Glitch-hosted phishing attacks exploit trusted platforms, making detection harder. Organizations must:
– Monitor for unusual subdomain patterns
– Block Glitch.me at the firewall level
– Train employees on fake CAPTCHA tactics
– Use automated threat-hunting tools
Expected Output:
- Detected phishing URLs logged in `/var/log/phishing.log`
- Blocked Glitch domains in firewall logs
- YARA alerts for phishing page detection
Prediction
As Glitch becomes a known attack vector, threat actors may shift to Replit, Vercel, or Netlify for hosting phishing kits. Proactive blocking of these platforms in corporate environments will be crucial.
Relevant URLs:
IT/Security Reporter URL:
Reported By: Mthomasson Its – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
