Using specially designed single sign-on ( SSO ) pages for Okta that look remarkably similar to the originals, a new phishing kit called CryptoChameleon  is being used to target Federal Communications Commission (FCC ) employees.
Using phishing pages that impersonate Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL, the same campaign targets users and employees of cryptocurrency platforms like Binance, Coinbase, Kraken, and Gemini.
To deceive victims into entering sensitive information on phishing websites, such as their usernames, passwords, and, in some cases, even photo IDs, the attackers plan a sophisticated phishing and social engineering attack consisting of email, SMS, and voice phishing.
There is n’t enough evidence to support a confident attribution of the phishing operation discovered by researchers at , Lookout , but it resembles the 2022 , Oktapus campaign conducted by the , Scattered Spider , hacking group.
Multi-pronged social engineering attack
Domain registrations that closely resemble those of legitimate entities are the first step in the direction of the threat actors. They created “fcc- okta [. ]” in the FCC case. ” com,” which is only one character different from the legitimate Okta single-sign-on page from the FCC’s official Okta single-sign.
The target may be contacted by the attackers, pretending to be customer support, and directing them to a phishing website to “recover” their accounts by texting, emailing, or SMSing them.
According to Coinbase, the texts posed as warnings about suspicious login alerts and sent users to phishing websites, as below.
A CAPTCHA challenge, according to Lookout, is required for victims of phishing websites in order to filter out bots and give the phishing process legitimacy.
A well-designed phishing page that appears to be an exact replica of Okta’s authentic login site is provided to those who successfully complete that step.
In case multi-factor authentication ( MFA ) codes are required, the cybercriminals can use the phishing kit to communicate with the victims in real-time.
The central panel in charge of the phishing process makes it possible for attackers to include the victim’s phone number digits on the phishing website to appear legitimate.
The victim may be redirected to the fake portal or platform’s sign-in page after the phishing process has been completed.
Both locations are chosen to lessen suspicion on the victim’s end and give attackers more time to use the information they have stolen.
approving more
By analyzing the phishing kit and discovering the relevant lures, Lookout gained insight into the additional targets in the cryptocurrency sector.
The researchers also gained quick access to the attacker’s backend logs, confirming that the campaign produced significant compromises.
According to the logs found,” the sites appear to have successfully phished more than 100 victims,” says Lookout.
” Many of the websites are still active and continue to phish for more credentials each hour.”
In late 2023, the threat actors primarily used Hostwinds and Hostinger to host their phishing pages, before switching to RetnNet, a Russian-based company that might offer a longer operating period for shady websites.
If a single threat actor only uses the CryptoChameleon phishing kit, or if it is rented to several groups, Lookout was unable to find out.
The impact this can have on targeted organizations is underlined by the kit’s advanced nature, the operators ‘ methods of targeting and communication, and the high standard of the phishing materials.
At the end of Lookout’s article, you can find a list of compromise indicators, including phishing websites and command-and-control servers.