FCC and crypto firms are being hit in advanced phishing attacks using fake Okta logins

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Security researchers have observed a highly sophisticated phishing campaign targeting employees of the US Federal Communications Commission (FCC), as well as popular crypto exchanges Binance, Coinbase, Kraken, and Gemini.

The as-yet-unidentified threat actor is going after people’s login credentials for Okta, researchers from Lookout found.

First, they would create landing pages for logging into places like the FCC portal, or Binance. These landing pages would be seemingly identical to the authentic ones, and are hosted mostly on RetnNet (a Russian web hosting service which might be more tolerant to cybercrime than its Western peers).

More than 100 victims

To build out these pages, they would use a previously unknown phishing kit named CryptoChameleon. Besides the creation of landing pages, this kit also helps with calls, emails, and SMS messages that serve as the initial point of communication with the target. For example, the attackers would use it to “notify” the victim that Binance “spotted” a suspicious login, and to share a link to “secure” the account. The link would then lead the victim to the phishing site, where all of the necessary login credentials are harvested.

The attackers can also use the kit to relay multi-factor authentication (MFA) codes, and other one-time passcodes, to complete the login process. Once it’s done, the victim would either be redirected to the authentic login page, or to a secondary fraudulent page claiming the account is “under review”. This is done to buy more time for the attackers. 

"The sites seem to have successfully phished more than 100 victims, based on the logs observed," the researchers said. "Many of the sites are still active and continue to phish for more credentials each hour."

While the researchers couldn’t confirm the identities of the attackers, they said that the campaign greatly resembles the 2022 Oktapus campaign, which was conducted by Scattered Spider. The group is not known to be state-sponsored.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.