A new phishing kit that poses as the login pages of popular cryptocurrency services has been spotted. It is a part of an attack cluster called CryptoChameleon, which is mainly intended to target mobile devices.

“This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” according to a report by Lookout.

The Federal Communications Commission (FCC), Binance, Coinbase, and customers of several cryptocurrency platforms such as Kraken, ShakePay, Gemini, Trezor, Caleb & Brown, and Binance are among the targets of the phishing kit. Up till now, over 100 people have been successfully tricked via phishing.

Because the phishing pages are made to appear as a phony login screen only after the victim successfully completes a CAPTCHA test using hCaptcha, automated analysis tools are unable to identify the sites.

Sometimes, under the guise of protecting the account after an alleged attack, these pages are disseminated by unsolicited phone calls and texts impersonating a company’s customer service staff.

After entering their login information, users are requested to either “wait” while the system purports to validate the data they submitted or input a two-factor authentication (2FA) code.

“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access,” Lookout said.

In an additional effort to create the appearance of legitimacy, the phishing kit lets the operator alter the phishing page in real time by entering the final two digits of the victim’s genuine phone number and choosing whether to request a six- or seven-digit token from them.

The threat actor then utilizes the one-time password (OTP) that the user submitted to access the desired online service by utilizing the token that was given. The following step allows the attacker to drive the victim to whatever website they choose, such as the official Okta login page or a page with personalized messaging.

According to Lookout, CryptoChameleon’s method of operation is similar to that of Scattered Spider, particularly in that it impersonates Okta and makes use of domains that have been previously linked to the organization.

“Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit,” the business said. “This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success.”

Furthermore, it’s unclear at this time if several threat actors are using the same technology or whether it’s the product of a single actor.

“The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data,” observed Lookout.

This development coincides with Fortra’s revelation that, as of 2023, LabHost, a new phishing-as-service (PhaaS) company, has gained more traction than its competitor Frappo, specifically targeting financial institutions in Canada.

A real-time campaign management platform called LabRat, which enables the staging of adversary-in-the-middle (AiTM) assaults and the acquisition of passwords and 2FA codes, is used by LabHost to carry out its phishing attacks.

The threat actor also created LabSend, an SMS spamming tool that enables its clients to launch large-scale phishing operations by offering an automated way to distribute links to LabHost phishing sites.

“LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures,” the business said.

SOURCE