A phishing campaign dubbed "CryptoChameleon" that started targeting cryptocurrency customers has evolved to focusing on employees at Binance, Coinbase and the Federal Communications Commission (FCC).
In a Feb. 29 blog post, Lookout researchers said these employees are targeted and phished via fake single sign-on (SSO) pages that mimic the real Okta SSO pages at the targeted organizations so that when the victims fall for the lure, the attackers can then steal login credentials, as well as personal and enterprise data.
“Our research highlights the trend of financially motivated threat actors shifting from consumer targeting to breaching enterprise and government organizations because they believe there’s bigger financial gain from these targets,” said David Richardson, vice president of endpoint and threat intelligence at Lookout.
Richardson said this presents clearly a broader kill chain story replicating successful techniques used by groups such as Scattered Spider, best known for last fall’s cyberattacks on Caesars Entertainment and MGM Resorts International. Ever since Lookout discovered the phishing kit, Richardson said his team has seen evidence that hundreds of victims have been affected by the attack — and we may yet see a broader impact.
“These are the same same type of TTPs that we’ve seen with Scattered Spider, and they been very successful,” said Richardson. “They use phishing kits that are inexpensive and can conduct the same types of attacks.”
Richardson added that they use social engineering to lure victims where the threat actor watches the attack as it occurs. Typically, they will have contact information they got from the dark web or an old breach and then send and SMS message to the victim that there’s something wrong with their account with no link.
“Once the victim responds, the threat actor sends a link and once the user clicks and signs on to the phone call, that’s where they can start phishing credentials,” said Richardson. “What separates these threat actors is they have native English speakers with very professional call centers skills.”
T. Frank Downs, senior director, proactive services at BlueVoyant, said these most recent attacks reiterate that effective hacks never die, they simply evolve. Similar to attack vectors seen over the last five to 10 years, these attacks depend upon active engagement by the individual with the attacker to succeed. Specifically, Downs said the attackers rely upon the victims to respond to unsolicited, non-verified, initial outreaches from the attacker to gain initial entrapment.
“However, the attack will not succeed if the potential victim does not take the bait and engage the attacker,” noted Downs. “Practices to avoid falling victim to these types of attacks include remembering foundational cybersecurity principles. Specifically, never respond to unsolicited outreaches without first confirming the solicitation through alternative mechanisms. Furthermore, any single-sign-on requests which were not prompted by the specific user should be reported to the appropriate corporate security teams."
John Gallagher, vice president of Viakoo Labs, added that as cryptocurrencies increase in value, so will threat actors' efforts in breaching accounts. What’s novel about CryptoChameleon is the detailed focus on what steps a victim will take, and using manual (human) operators to assist in fooling the victim, said Gallagher.
Gallagher said he also wondered what motivation the threat actor had in going after FCC employees.
“It's potentially a form of advertising by the threat actor they can be hired to help breach federal agencies, and suggests that while this could be brushed off as just related to crypto, it may be the tip of an iceberg aimed at breaching organizations and not just financial accounts,” said Gallagher.
