A phishing kit called CryptoChameleon was discovered targeting cryptocurrency platforms, including Binance and Coinbase employees, as well as the Federal Communications Commission (FCC).
According to an analysis by Lookout, victims primarily use Apple iOS and Google Android devices with single sign-on (SSO) solutions, including Okta, Outlook and Google.
What is concerning is that successful attacks have produced sensitive data that goes beyond simple usernames and passwords, such as password reset URLs and photo IDs, making the attacks more malicious.
“Cryptocurrency platforms, single sign-on services, government agencies and other B2C-facing organizations should consider stronger forms of authentication, such as WebAuthn-based passkeys,” says Jason Soroko, senior vice president of product at Sectigo.
CryptoChameleon’s sophisticated phishing tactics are convincing
THE sophisticated cyber attackers behind CryptoChameleon they especially show advanced tactics, such as personal awareness raising. Social engineering includes personalized text messages and voice calls impersonating legitimate support staff from reputable companies.
And they are also convincingly duplicating legitimate pages, making them harder to recognize, according to Lookout. Specifically, the use of phone numbers and websites that mimic real company support teams adds an extra layer of authenticity to phishing attempts, further misleading victims.
Meanwhile, the CryptoChameleon Kit also uses hCaptcha to evade automated analysis tools.
In general, CryptoChameleon’s MO resembles the techniques used by the Financial cyber threat group Scattered Spiderin particular targeting Okta users via voice calls posing as help desk staff, but Lookout noted that the attacks are executed with enough variability to suggest a different threat actor.
In fact, researchers suspect that the phishing kit may be offered as a service on Dark Web forums.
“It is unknown whether this is a single threat actor or a common tool used by many different groups,” according to Lookout researchers. “However, there are many similarities in the C2 backend [command-and-control] servers and test data that our team found on various phishing sites.”
Don’t be fooled by fake tech support calls
When it comes to social engineering via text messages and phone calls, organizations need to educate their employees and set a policy to verify the source of the requests, Soroko says.
“We have seen deepfake audio phone calls that have proven to be very effective, meaning that normal means of communication that were once completely reliable require a higher level of scrutiny,” he notes. “You need to verify who is texting and calling, and going forward, we need better ways to make that easier.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, agrees that organizations should prioritize user training, highlighting the risks associated with unsolicited messages and the importance of additional checks to ensure that the URL of the target website matches the authentic website.
“When a password manager is used, it automatically identifies when a site’s URL does not match what is in the user’s vault, which provides a critical additional layer of security,” he explains.
Tiquet says multi-factor authentication (MFA) can also provide a critical second layer of protection that protects against phishing attacks, but warns that cybercriminals are working to evade MFA protections and are developing advanced tactics to gain access to high-value accounts and steal credentials.