In the world of cybersecurity, the threat of phishing scams looms large as threat actors continue to employ deceptive tactics to steal valuable information from unsuspecting individuals. Phishing is a form of social engineering that preys on human trust and confidence, making it a cost-effective method for cybercriminals seeking unauthorized access and identity theft.
Recently, cybersecurity researchers at Lookout uncovered a new and sophisticated phishing attack that targets users by tricking them into sharing their login credentials through a Single Sign-On (SSO) based scam. This type of attack is particularly alarming as it leverages legitimate authentication processes to deceive victims into divulging sensitive information.
The phishing kit discovered by Lookout is specifically designed to target users in the United States, focusing on popular platforms and organizations such as the Federal Communications Commission (FCC), Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, Trezor, AOL, Gmail, iCloud, Okta, Outlook, Twitter, and Yahoo. By impersonating these reputable entities, cybercriminals are able to lure victims into providing their login details unknowingly.
The fraudulent domain identified by Lookout, “fcc-okta[.]com,” closely mimics the FCC’s genuine SSO page, complete with a captcha mechanism to evade detection and enhance credibility. Unlike traditional phishing kits that rush victims for their credentials, this sophisticated scam delays victims and adapts to modern security measures like Multi-Factor Authentication (MFA) awareness.
Through automated analysis, Lookout uncovered an admin console monitoring the phishing page, providing insight into the threat actor’s operations. Each victim entry generates a new row in the system, allowing the cybercriminal to choose where to redirect victims after they have provided their login details. Additionally, the phishing kit includes functionalities to customize redirects based on the type of MFA request, whether it be through an authenticator app or SMS.
The investigation into the phishing kit revealed a clear focus on cryptocurrency and SSO platforms, with a particular emphasis on mimicking the FCC Okta page and other prominent brands. Lookout identified sites utilizing the phishing kit under the C2 domain official-server[.]com, with notable targets including employees from Binance and Coinbase, with Coinbase being the most frequently targeted.
Furthermore, new domains linked to original-backend[.]com have been observed since February 21, indicating an ongoing operation by the threat actor. The phishing kit files collected by Lookout include the C2 URL, data collection logic, and style sheets used to create convincing replica pages of legitimate websites like Coinbase.
Despite efforts to combat the scam, over 100 victims have already fallen prey to the phishing attack, with active sites continuing to collect data. Victims have described the threat actor as “American” and highly skilled, highlighting the sophistication of the operation. The attack primarily targets mobile devices, particularly iOS and Android devices in the United States.
To protect against malware threats delivered via phishing kits, organizations can leverage solutions like Perimeter81’s malware protection to safeguard networks from Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. These malicious entities pose a significant threat to network security and can cause severe damage if left unchecked.
In conclusion, the discovery of this new SSO-based phishing attack underscores the ongoing challenges posed by cybercriminals in exploiting human vulnerabilities for financial gain. It serves as a stark reminder for individuals and organizations alike to exercise caution and vigilance when sharing sensitive information online to mitigate the risk of falling victim to such sophisticated scams.