Anti-Phishing, DMARC , Cybercrime , Fraud Management & Cybercrime
Mobile-Driven Phishing Spoofs FCC, Cryptocurrency Giants
Researchers Say Hackers Used Fake Login Pages to Trick 100 Victims, Crypto WorkersA new phishing campaign is targeting victims through mobile devices by mirroring legitimate login pages for the Federal Communications Commission and large cryptocurrency platforms including Binance and Coinbase. At least 100 victims, including crypto company employees, have fallen for the scam.
See Also: 2024 APJ State of the Phish: Is Your Organisation Covered
Cybersecurity firm Lookout said the phishing campaign, dubbed CryptoChameleon, uses legitimate-looking SSO login pages and begins with phishing by email, SMS or voice calls to trick victims into sharing sensitive information, including usernames, passwords, password reset URLs and photo IDs. Hackers are mainly targeting U.S.-based users.
Lookout flagged the phishing kit's activity after discovering a suspicious domain, fcc-okta.com
- that resembles the legitimate FCC Okta SSO page.
CryptoChameleon incorporates an administrative console that allows operators to monitor and customize phishing pages in real time. The operator can redirect victims based on the information provided, enhancing the illusion of legitimacy during the attack.
The attack primarily focuses on mobile users, and the phishing kit showcases a high level of customization. The operator can also tailor the phishing page to provide specific details, such as the last digits of the victim's phone number, to create a more convincing scenario.
The phishing websites rely on multiple hosting networks, including Hostwinds, Hostinger, RetnNet in Russia and QWARTA LLC hosting services. The attackers continually shift hosting networks - an action likely to prolong the lifespan of their malicious sites.
Researchers said the victims reported a combination of phone calls and text messages being used to manipulate them into completing the phishing process. The threat actor adopts a convincing persona and often claims that the victim's account has been compromised, leveraging both voice calls and SMS to build trust.
While the attack shares similarities with the Scattered Spider group, differences in capabilities and command-and-control infrastructure suggest that CryptoChameleon is likely a distinct threat actor or group, possibly inspired by previous successful tactics.
The full extent of CryptoChameleon's impact remains unclear, as researchers continue to analyze back-end logs and investigate potential connections between different phishing sites.