A novel phishing kit impersonating the login pages of well-known cryptocurrency services has been observed as part of an attack group designed primarily for mobile devices.
"This kit allows attackers to create carbon copies of single sign-on (SSO) pages and then use a combination of email, SMS and voice phishing to trick the target into sharing usernames, passwords, reset URLs and even photo IDs of hundreds of victims, most in the United States," Lookout said. saying in a report.
Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users from various platforms such as Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. To date, over 100 victims have been successfully phished.
The phishing pages are designed in a way that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.
In some cases, these pages are distributed through unsolicited phone calls and text messages by impersonating a company's customer support team under the pretext of protecting your account after an alleged hack.
Once the user enters their credentials, they are asked to provide a two-factor authentication (2FA) code or "wait" while they claim to verify the information provided.
"The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on additional information requested by the MFA service the attacker is attempting to access," Lookout said.
The phishing kit also attempts to give an illusion of credibility by allowing the operator to personalize the phishing page in real time by providing the last two digits of the victim's real phone number and selecting whether the victim should be asked for a phone number. six or seven digits. symbolic.
The threat actor then captures the one-time password (OTP) entered by the user and uses it to log in to the desired online service using the provided token. In the next step, the victim can be directed to any page the attacker chooses, including the legitimate Okta login page or a page that displays customized messages.
Lookout said the campaign shares similarities with that of Scattered spiderspecifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.
"Although the spoofed URLs and pages look similar to what Scattered Spider might create, there are significantly different C2 capabilities and infrastructure within the phishing kit," the company said. "This type of imitation is common among threat actor groups, especially when a series of tactics and procedures have had such public success."
It is also currently unclear whether this is the work of a single threat actor or a common tool used by different groups.
"The combination of high-quality phishing URLs, login pages that perfectly match the look and feel of legitimate sites, a sense of urgency, and a consistent connection via SMS and voice calls is what has given them "Threat actors are so successful at stealing high-quality data," Lookout noted.
The development comes as Fortra revealed that financial institutions in Canada have been targeted by a new phishing-as-a-service (PhaaS) group called LabHost, overtaking its rival. Frappo in popularity in 2023.
LabHost phishing attacks are carried out using a real-time campaign management tool called LabRat that allows an adversary to be organized in the middle (AiTM) attack and capture 2FA credentials and codes.
The threat actor also developed an SMS spam tool called LabSend that provides an automated method of sending links to LabHost phishing pages, allowing its clients to mount smishing campaigns at scale.
"LabHost services enable threat actors to target a variety of financial institutions with features ranging from out-of-the-box templates, real-time campaign management tools, and SMS honeypots," the company said. saying.
