Skip to content Skip to footer

Novel Phishing Kit Impersonating Cryptocurrency Services Targets Mobile Users

A recent report by Lookout has highlighted a new kit that is impersonating the login pages of well-known cryptocurrency services as part of an attack cluster known as CryptoChameleon. The kit is designed to target mobile devices primarily. It enables attackers to build carbon copies of single sign-on (SSO) pages. Attackers then use email, SMS, and voice to trick the target into sharing sensitive information such as usernames, passwords, password reset URLs, and even photo IDs. So far, over 100 victims, mainly in the United States, have been successfully phished by these attackers.

The kit targets employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. The pages are designed to display the fake login screen only after the victim completes a CAPTCHA test using a captcha, thus preventing automated analysis tools from flagging the sites.

Sometimes, these pages are distributed via unsolicited phone calls and text messages. The attackers spoof a company's customer support team under the pretext of securing their account after a purported hack. Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to “wait” while it claims to verify the provided information.

The kit also attempts to give an illusion of credibility by allowing the operator to customize the page in real-time by providing the last two digits of the victim's actual phone number and selecting whether the victim should be asked for a six or seven-digit token. The one-time password (OTP) the user enters is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker's choosing, including the legitimate Okta login page or a page that displays customized messages.

Lookout said CryptoChameleon's modus operandi resembles techniques used by Scattered Spider, specifically in its impersonation of Okta and using domains previously identified as affiliated with the group. “Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the kit,” the company said. “This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success.”

It needs to be determined if this is the work of a single threat actor or a standard tool used by different groups. “The combination of high-quality URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high-quality data,” Lookout noted.

The report comes as Fortran revealed that financial institutions in Canada have come under the target of a new -as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023. LabHost's phishing attacks are pulled off using a real-time campaign management tool called LabRat. It can stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes. Also developed by the threat actor is an SMS spamming tool called LabSend that provides an automated method for sending links to LabHost phishing pages, allowing its customers to mount smishing campaigns at scale. “LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures,” the company said.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Shall we play a game?Joshua

Deitasoft © 2024. All Rights Reserved.