A new phishing kit impersonating the login pages of popular cryptocurrency services has been observed as part of an attack cluster designed to primarily target mobile devices.
“This kit allows attackers to create carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” Lookout said in a report.
The targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms such as Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. To date, more than 100 victims have been successfully phished.
Phishing pages are designed in such a way that the fake login screen is only displayed after the victim has completed a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the pages.
In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company’s customer support team under the guise of protecting your account after an alleged hack.
Once the user enters their credentials, they are asked to provide a two-factor authentication (2FA) code or to “please wait” while it claims to verify the information provided.
“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on the additional information required by the MFA service the attacker is trying to log in to,” Lookout said.
The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real time by providing the last two digits of the victim’s actual phone number and selecting whether the victim should be asked for a six-digit number or seven digits. token.
The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to log in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker’s choosing, including Okta’s legitimate login page or a page that displays personalized messages.
Lookout said the campaign shares similarities with Scattered Spider’s, particularly in its imitation of Okta and use of domains that have previously been identified as affiliated with the group.
“While the spoofed URLs and pages appear similar to what Scattered Spider might create, there are significantly different C2 functionality and infrastructure within the phishing kit,” the company said. “This type of copying is common among threat actor groups, especially when a variety of tactics and procedures have been so publicly successful.”
It is not even clear at the moment whether this is the work of a single threat actor or a common tool used by several groups.
“The combination of high-quality phishing URLs, login pages that closely match the look and feel of legitimate sites, a sense of urgency, and a consistent connection via SMS and voice calls is what has given threat actors so much success in stealing high-quality data,” the lookout noted.
The development comes as Fortra revealed that financial institutions in Canada have come under the radar of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.
LabHost phishing attacks are launched through a real-time campaign management tool called LabRat that allows you to mount an Adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.
The threat actor also developed an SMS spamming tool called LabSend that provides an automated method for sending links to LabHost phishing pages, thus allowing its customers to mount large-scale smishing campaigns.
“LabHost services enable threat actors to target a variety of financial institutions with capabilities ranging from ready-to-use templates, real-time campaign management tools, and SMS decoy,” the company said.