CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack

Lookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. Following the tactics of groups like Scattered Spider, this kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs and even photo IDs from hundreds of victims, mostly in the United States.

Lookout first flagged this phishing kit when our automated analysis discovered a suspicious new domain registration that matched a common format used by Scattered Spider, as mentioned in a recent warning by CISA.  The domain in question was fcc-okta[.]com, which is only a single character different from the legitimate FCC Okta Single Sign On (SSO) page. This phishing kit first asks the victim to complete a captcha using hCaptcha. This is a novel tactic that prevents automated analysis tools from crawling and identifying the phishing site. It may also give the illusion of credibility to the victim, as typically only legitimate sites use captcha. Once the captcha is completed, the login page mimics the FCC’s legitimate Okta page. Upon providing their credentials, the victim can be sent to wait, sign in, or ask for the MFA token.

Unlike typical phishing kits, which attempt to harvest credentials as quickly as possible, this one seems to be aware of modern security controls organizations have put in place such as MFA. 

Lookout researchers saw that there is an administrative console that the operator uses to monitor the phishing page. While we were unable to directly access this console, we were able to access its javascript and css and piece together much of its functionality.  Each time a victim visited the page and entered information, we observed that a new row was populated on a table. Once the victim enters their username and password, the admin is able to select from a long list of options of where to send them next. The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access, For example, they can be redirected to a page that asks for their MFA token from their authenticator app or a page requesting an SMS-based token.  

We were also able to investigate the phishing kit, which gave us additional insight into targets and tactics used. The kit contains numerous references to cryptocurrency platforms and SSO services. While the version of the kit targeted at the FCC impersonates the FCC’s specific Okta page by default, the kit is able to impersonate many different company’s brands. 

Lookout 02/29/2024