A highly advanced phishing campaign has been identified targeting remote employees and IT administrators by impersonating the official Fortinet VPN download portal.
The threat is particularly severe due to its use of search engine optimization techniques and the exploitation of AI-generated search summaries. Attackers are leveraging these features to increase the visibility and perceived legitimacy of malicious content, drawing unsuspecting users into the attack.
The campaign employs a multi-stage redirection process that begins on trusted platforms to evade early detection by security controls. This approach ultimately enables the theft of VPN credentials and the delivery of malicious or deceptive payloads.
Security researcher Alias G0njxa reported that modern search engines offering AI-generated quick answers are unintentionally amplifying the campaign. When users search for instructions on downloading the Fortinet VPN, some AI summaries extract guidance from a malicious GitHub repository, vpn-fortinet[.]github[.]io, and present it as a legitimate installation guide. Because the content is hosted on GitHub, a widely trusted platform, both users and automated systems are more likely to regard it as credible. This misplaced trust encourages victims to follow the link and triggers the attack sequence.
The attack is structured as a segmented workflow designed to distinguish human users from automated security scanners. Victims are first directed to a decoy landing page hosted on the GitHub repository. A script on this page inspects the HTTP referrer to determine the source of the visit. If the request originates from major search engines such as Google, Bing, Yahoo, or DuckDuckGo, the user is redirected to the phishing site at fortinet-vpn[.]com. Visits that do not meet these criteria may not trigger the redirect, effectively concealing the malicious behavior from security crawlers.
The phishing site closely replicates Fortinet’s official branding and user interface. Prior to allowing any download, the site displays a fraudulent configuration prompt requesting the user’s remote gateway address, login name, and password. These credentials are transmitted directly to the attackers once entered.
After harvesting the credentials, the site initiates a download from myfiles2[.]download. In many cases, the payload installs a legitimate version of FortiClient, which reduces suspicion and leaves the victim unaware that their VPN credentials have already been compromised.
To reduce exposure, IT teams are advised to block known indicators of compromise and review network traffic for connections to related domains. The identified indicators include vpn-fortinet[.]github[.]io as the initial redirect source, fortinet-vpn[.]com as the credential harvesting site, and myfiles2[.]download as the payload hosting domain.
Organizations should reinforce user awareness that legitimate software installers do not require authentication credentials prior to download. Users should also be instructed to verify software sources by confirming that downloads originate from the official fortinet.com domain.
This campaign also underscores a growing security concern associated with AI-driven search features. While AI-generated summaries offer convenience, they can be influenced by manipulated web content. Users and administrators should verify source links carefully rather than relying solely on automated search summaries.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
