Several phishing campaigns targeting employees of cryptocurrency platforms such as Binance and Coinbase and the Federal Communications Commission (FCC) have been discovered, including one dubbed CryptoChameleon, which targets cryptocurrency platforms and employees. Based on an analysis from Lookout, the victims of this attack primarily use Apple iOS and Google Android devices with SSO solutions, such as Okta, Outlook, and Google, with their Apple and Google accounts with single sign-on.
Several days ago, Lookout, a company focused on cloud security, announced that it had discovered an "advanced phishing kit" that targeted cryptocurrency exchanges, revealing techniques similar to what was expected. The phishing kit, which has been dubbed CryptoChameleon, can also be used to cheat the Federal Communications Commission (FCC) by using mobile devices.
Most of the intended targets are crypto traders, single sign-on (SSO) services in the U.S., Binance staff, and Coinbase employees, with a small minority being Bitcoin traders and SSO service users. The kit seeks to trick victims into sharing sensitive information, including usernames, passwords, password reset URLs, and photo IDs, by sending carbon copies of SSO pages, phishing emails, SMS messages, and call-in scams via email, SMS, and voice mail, mainly aimed at US users.
A suspicious new domain registration for the domain fcc-oktacom led researchers to discover a suspicious phishing kit. Cryptocurrency platforms and SSO services, including Coinbase, are most commonly targeted by this phishing kit, which is capable of impersonating a variety of company brands, with Coinbase being the most frequently targeted service.
Other websites were using the kit, and the majority of these websites used a subdomain of official-servercom as their C2 instead of their main domain.
A recent blog post by Lookout states that the attack has been successful in phishing over a hundred people, many of whom remain active today. It is noteworthy that the C2 server URL, the client-side logic, and the style sheets were included in the kit.
Most cybercriminals host their sites on RetnNet hosting. To prevent automated analysis tools from identifying the site, victims must first complete a captcha, known as hCaptcha, which provides the site with credibility. It appears CryptoChameleon is replicating the fashions used by Scattered Spider, specifically through its impersonation of Okta and the use of domain names previously assumed to be associated with the organization by Lookout.
It is important to remember that the phishing kit has significantly different capabilities and C2 infrastructure than the phishing kit, even though the URL and spoofed pages look similar to what Scattered Spider might create. It is common for threat actors to copy one another's tactics and procedures when the tactic or procedure has been so publicized that it has become widely accepted.
Furthermore, it remains unclear if this is the work of a single threat actor or a tool that is being used by many different groups at the same time.
This is what has made the threat actors so successful in stealing high-quality data, according to Lookout, as high-quality phishing URLs, login pages that perfectly match the look and feel of legitimate websites, a sense of urgency, and consistent communication via SMS and voice calls have enabled them to steal data so efficiently.
As soon as the attackers get access to the victim, they use their credentials to log in, and based on information that has been provided by the MFA service, they direct them to the appropriate page.
In addition to employees of the Federal Communications Commission (FCC), this phishing kit targets cryptocurrency users of Binance, Coinbase, and various other platforms that provide cryptocurrency services like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor.
There have been over 100 successful phishing attacks on victims so far.
As a result, automated analysis tools are not able to flag the sites because the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing them from being flagged.
By mimicking a company's customer service team with the pretence that it is protecting a person's account after a purported hack, these pages can be distributed via unsolicited phone calls and text messages.
As a result, the victim's phone number and the choice of six- or seven-digit code can be customized on the phishing page.
Cryptocurrency platforms and Single Sign-On services are the most frequently targeted services by phishing kits that impersonate various company brands, with Coinbase being the most commonly targeted.
Further, victims are also lured through phone calls, emails, and text messages, when phishing emails are disguised as legitimate messages from cryptocurrency platforms or the Federal Communications Commission (FCC) with malicious links, while SMS messages are disguised as legitimate notifications from cryptocurrency platforms or the FCC.
Lookout customers have been protected against these phishing sites since the beginning of January 2024 due to the similarity of infrastructure and the similarity of previous attacks.