Inside the Weebly Phishing Campaign: A Sophisticated Threat to Financial Institutions

A recent investigation by BlueVoyant’s threat analysts has uncovered a sophisticated phishing campaign exploiting the Weebly.com platform to create fraudulent websites targeting small to mid-sized banks and financial institutions across the United States. 

This campaign stands out for its widespread scale and diffusion. Over the past few months, BlueVoyant has identified hundreds of phishing websites targeting more than 200 American banks and financial institutions. Each site is carefully crafted to mimic legitimate banking portals, deceiving users into entering sensitive information such as login credentials and multi-factor authentication codes. 

How the Campaign Works 

Threat actors leverage Weebly’s free hosting services and its simple drag-and-drop website builder to rapidly deploy phishing sites. Weebly is owned by Block, formerly known by Square, and best known as a payment processor. By using Weebly’s trusted domain and infrastructure, attackers bypass traditional security filters and extend the lifespan of their malicious pages. The campaign relies heavily on: 

• Lookalike subdomains (e.g., fhbonline[.]weebly[.]com) that resemble real bank URLs 
• Built-in Weebly templates repurposed as generic phishing kits, allowing attackers to easily swap logos and names to impersonate different banks 
• Subdomain hosting to avoid registering new domains, making detection and takedown efforts more difficult 

The campaign analysis conducted by BlueVoyant’s Digital Risk Protection team revealed that attackers often use the “personal website” option on Weebly, selecting themes with input fields that can be repurposed as login forms. The entire process of creating a phishing site takes less than an hour, enabling rapid scaling across multiple targets. 

Strategic Targeting and Infrastructure Patterns 

The campaign is widespread but also exhibits strategic targeting behavior. BlueVoyant analysts observed clusters of phishing sites appearing in specific U.S. regions, often targeting banks in neighboring states during the same period. This suggests the use of pre-defined lists and a methodical rollout strategy. 

In one example, phishing sites were created within days of each other targeting banks in Vermont, Virginia, North Carolina, Pennsylvania, South Carolina, Maine, and New York. These institutions ranged in asset size from $335 million to $16 billion, with a notable focus on smaller banks and credit unions. 

Delayed Takedown: A Key Vulnerability 

One of the most concerning findings is the threat actors’ tactic of deploying a single phishing site per bank as a “proof of concept.” Institutions that fail to promptly remove these sites often become repeat targets. BlueVoyant documented cases where smaller banks, slow to respond, were targeted multiple times — while larger banks that acted quickly saw no further activity. 

This behavior highlights the importance of swift takedown efforts. Threat actors are actively probing for weak points in institutional responsiveness and using that intelligence to intensify their campaigns. 

Mitigation and Monitoring 

BlueVoyant closely monitors DNS infrastructure to detect emerging threats in real time. Its takedown service team removes malicious impersonation websites as quickly as possible. By analyzing DNS data and leveraging access to global datasets and dark web intelligence, BlueVoyant provides clients with industry-leading threat validation and remediation capabilities. 

Download the full report to explore the full scope of this campaign—including attacker methodologies, infrastructure patterns, and mitigation strategies. You will learn how BlueVoyant uncovered and analyzed this operation, and what financial institutions can do to defend against it.