Jump to content

FCC and crypto firms are being hit in advanced phishing attacks using fake Okta logins

Recommended Posts


Security researchers have observed a highly sophisticated phishing campaign targeting employees of the US Federal Communications Commission (FCC), as well as popular crypto exchanges Binance, Coinbase, Kraken, and Gemini.

The as-yet-unidentified threat actor is going after people’s login credentials for Okta, researchers from Lookout found.

First, they would create landing pages for logging into places like the FCC portal, or Binance. These landing pages would be seemingly identical to the authentic ones, and are hosted mostly on RetnNet (a Russian web hosting service which might be more tolerant to cybercrime than its Western peers).

More than 100 victims

To build out these pages, they would use a previously unknown phishing kit named CryptoChameleon. Besides the creation of landing pages, this kit also helps with calls, emails, and SMS messages that serve as the initial point of communication with the target. For example, the attackers would use it to “notify” the victim that Binance “spotted” a suspicious login, and to share a link to “secure” the account. The link would then lead the victim to the phishing site, where all of the necessary login credentials are harvested.

The attackers can also use the kit to relay multi-factor authentication (MFA) codes, and other one-time passcodes, to complete the login process. Once it’s done, the victim would either be redirected to the authentic login page, or to a secondary fraudulent page claiming the account is “under review”. This is done to buy more time for the attackers. 

"The sites seem to have successfully phished more than 100 victims, based on the logs observed," the researchers said. "Many of the sites are still active and continue to phish for more credentials each hour."

While the researchers couldn’t confirm the identities of the attackers, they said that the campaign greatly resembles the 2022 Oktapus campaign, which was conducted by Scattered Spider. The group is not known to be state-sponsored.

Via BleepingComputer

More from TechRadar Pro

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...