Security researchers at Lookout, have recently reported a wide spread phishing campaign targeting the FCC (Federal Communications Commission), and renowned crypto organizations.
In the detailed report, which was published in the month that makes the leap-year of 2024 (February 29th), the researchers disclosed that the TTP’s (Tactics, Techniques, and Procedures) imitated by this wild phishing campaign, appears to be similar to an attack previously linked to the Scattered spider threat group.
ON HOW THE CAMPAIGN WAS CONDUCTED:
The phishing campaign which is dubbed “CryptoChameleon” is said to be conducted by these threat group, via creating malicious single-sign-on pages mimicking prominent organization, with FCC Okta inclusive. In other to solidify the legitimacy, these phishing campaign are then propagated via email messages, SMS, Vphishing (Voice-phishing), as a way to sound convincing to their unsuspecting targets. The content of these various messages, and email is able to trick the unsuspecting victims, into releasing sensitive information’s such as username, password, photo IDs, and options to reset their passwords.
Lookout researchers discovered that major targets of this campaign where US citizens, with the threat actor’s cloned phishing pages mimicking organizations such as the FCC, Binance, Coinbase, Gemini, Kraken, Shakepay, Caleb & Brown, and Trezor.
Further discovery also reveals that the threat actors have successfully created single sign-on pages of other organizations such as AOL, Gmail, iCloud (Apple), Outlook, X (former twitter), and Yahoo. It is no doubt, that this is real, as recently, one of our team member at Fixitgearware Security also discovered this pages, legitimately signing, and instead of a password prompt field, a page prompting verification code was displayed a sign that something phishy is going on.
CONNECTING THE DOTS OF THE PHISHING CAMPAIGN:
From the findings by Lookout researchers, it is no doubt on connecting the dots of the phishing campaign, that these threat actors utilize similar methods known in various email phishing messages sent. Breaking the report down into few points, the following is discovered to have been conducted by the threat group:
- Registered a new domain, which CISA has recently disclosed to be wary off.
- Employed a “typo-squatting” mechanism which the domain includes a single character similar to that of the FCC. fcc-okta[.]com
- Implemented Captcha, this to legitimize the form, and the user is prompted to solve a captcha puzzle, to prove they are human (an actual target). This also serve as a form sophistication to prevent malware-detecting automated tools from noticing the malicious website.
- presenting victims/users with the falsified “FCC-Okta” page form, immediately they resolved the captcha.
SOPHISTICATION OF THE PHISHING KIT:
In comparison to various phishing kit out there, this kit which is used by threat adversaries implemented a level of sophistication with its awareness of modern security controls (e.g. The MFA-mechanism). Furthermore the researchers discovered that the threat actor has a form of administrative console which they utilize to monitor the various phishing pages.
INFORMATION ABOUT THE THREAT GROUP:
While the threat group responsible for the propagation of this phishing campaign is yet to be detected, the research team at Lookout, has gone ahead to publish a list of IoC’s and Protection against such phishing campaign. To read-more about the sophistication and propagation of these phishing links, kindly visit Lookout.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.
