Lookout Discovers Advanced Phishing Kit Targeting U.S. Federal Agency and Cryptocurrency Exchange Organizations

Threat Actor Emulates Scattered Spider Group and Takes Unique Approach to Collect Login Credentials

BOSTON--()--Lookout, Inc., the data-centric cloud security company, today announced the discovery of an advanced phishing kit, CryptoChameleon, which exhibits tactics that target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. The intended targets, mostly users of cryptocurrency and single sign-on (SSO) services in the United States, also include Binance and Coinbase employees. Leveraging the CryptoChameleon phishing kit, bad actors utilize text messages and voice calls where they personally reach out to the victim to build a sense of trust while encouraging them to follow the steps of the attack. This has resulted in a high success rate, leading to the collection of quality data, including usernames, passwords, password reset URLs and even photo IDs. Lookout customers who have Phishing Content Protection (PCP) were protected against CryptoChameleon.

This new phishing kit emulates techniques that have been used by the Scattered Spider cybercriminal group. Operators behind the kit have successfully duplicated pages for solutions like Okta, Outlook and Google, which means it could be used to target any organization that uses these solutions as their SSO provider. Based on conversations that the Lookout security research team had with several victims, CryptoChameleon uses phone numbers and websites that appear legitimate and reflect a real company’s support team. While CryptoChameleon follows similar tactics, there are enough differences to indicate that this is likely not Scattered Spider operating the kit and could be a different criminal group or several individual actors.

This style of attack is one that Lookout has been observing and analyzing closely as it continues to increase in frequency and become more prevalent. With more corporate data residing in the cloud and a change in how users interact with that data, an increasing number of bad actors are now leveraging social engineering, targeting a user’s mobile phone to steal credentials that provide legitimate and immediate access to critical corporate data as part of the modern cyber kill chain. Lookout data shows that every quarter, between 23% and 26% of mobile users tapped on at least one phishing link in 2023. And the discovery of CryptoChameleon represents another significant shift in the continued evolution of this kill chain.

“We’re seeing a trend of financially motivated threat actors – who typically target cryptocurrency and direct financial fraud – move into breaching enterprise and government organizations for ransom,” said David Richardson, Vice President of Endpoint and Threat Intelligence, Lookout. “We urge cryptocurrency and single-sign-on users and organizations to take steps to protect their devices, work and personal data.”

CryptoChameleon highlights:

  • The phishing kit first asks the victim to complete a captcha using hCaptcha. This is a tactic that prevents automated analysis tools from crawling and identifying the phishing site.
  • Unlike typical phishing kits, which attempt to harvest credentials as quickly as possible, CryptoChameleon is aware of modern security controls organizations have put in place such as multi-factor authentication and allows bad actors to respond accordingly.
  • While the version of CryptoChameleon targeted at the FCC impersonates the FCC’s specific Okta page by default, the kit can impersonate many different companies’ brands and authentication processes.
  • Lookout also found Okta impersonation pages that target employees of Binance and Coinbase, but the majority of the sites seemed to target users of cryptocurrency and SSO services.
  • Based on the phishing site characteristics, Lookout researchers have identified over 250 phishing sites using this kit with more being found every day.
  • Since initially discovering the phishing kit, Lookout has seen evidence that hundreds of victims have been impacted by the attack.

Lookout Mobile Endpoint Security customers have been protected against these phishing sites since before the February 2024 discovery, based on insights from parallels and similar infrastructure of previous attacks. Lookout will continue to track the general behaviors and techniques used by this and other criminal groups to ensure protection against additional sites that use this kit and will continue to update protections for customers through automated means as necessary.

Additional Resources:

About Lookout

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves. People — and human behavior — are central to the challenge of protecting data, which is why organizations need total visibility into threats in real time. The Lookout Cloud Security Platform is purpose-built to stop modern breaches as swiftly as they unfold, from the first phishing text to the final cloud data extraction. We are trusted by enterprises and government agencies of all sizes to protect the sensitive data they care about most, enabling them to work and connect freely and securely. To learn more, visit www.lookout.com and follow Lookout on our blog, LinkedIn and X.

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.

Contacts

Lookout PR: press@lookout.com

Contacts

Lookout PR: press@lookout.com