A new phishing kit has been discovered that specifically targets mobile devices by impersonating the login pages of well-known bitcoin providers.
“The kit allows attackers to create replicas of single sign-on (SSO) pages and then use email, SMS, and voice phishing to deceive victims into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, primarily in the United States,” according to Lookout.
So far, more than 100 people have fallen for the phishing kit’s schemes, including FCC workers and customers of cryptocurrency platforms such as Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor.
To make automated programs miss the phishing sites, they are cleverly constructed to only show the victim the false login screen once they finish a CAPTCHA test using hCaptcha.
Sometimes, these pages are spread by unwanted phone calls and texts messages from people pretending to be customer assistance from a firm. They say they need to safeguard the victim’s account because of a breach.
A two-factor authentication (2FA) code or an instruction to “wait” are possible responses to a user’s credentials after they’ve entered them.
“The attacker likely tries to log in using these credentials in real-time, then redirects the victim based on the additional information requested by the MFA service the attacker is attempting to access,” according to Lookout.
To further add to the appearance of legitimacy, the phishing kit enables the operator to configure the phishing page in real-time by entering the victim’s phone number’s final two digits and choosing between a six- or seven-digit token request.
Threat actors can access the targeted online service using the given token by capturing the OTP entered by the user. Following this, the user could be sent to a malicious website that displays personalized messages or even the official Okta login page, depending on the attacker’s preference.
By adopting Okta’s identity and utilizing domains linked to the group, Lookout saw parallels between the campaign and Scattered Spider.
The question of whether this assault was carried out by a singular threat actor or by several organizations using a common technology remains unanswered.
“The success of the threat actors in acquiring high-quality data is due to a combination of authentic-looking phishing URLs, login pages that closely resemble legitimate sites, a sense of urgency, and consistent communication via SMS and voice calls,” said Lookout.
In the meantime, Fortra found out that LabHost, a new phishing-as-service (PhaaS) outfit, is targeting Canadian financial institutions. By 2023, LabHost would have surpassed Frappo in popularity.
LabRat, LabHost’s real-time campaign management tool, allows for adversary-in-the-middle (AiTM) assaults to harvest credentials and two-factor authentication (2FA) codes.
To further facilitate its smishing attacks, the threat actor has created an SMS spamming tool called LabSend, which allows for the mass distribution of links to LabHost phishing sites.
“LabHost services provide threat actors with features such as ready-to-use templates, real-time campaign management tools, and SMS lures to target various financial institutions,” said the business.