Phishing Kit Targets Cryptocurrency Services
In a recent report, Lookout uncovered a sophisticated phishing kit designed to target mobile users by impersonating login pages of prominent cryptocurrency services.
The kit employs a combination of email, SMS, and voice phishing techniques to deceive victims into divulging sensitive information, including usernames, passwords, and even photo IDs. Notable targets include employees of the FCC, as well as users of platforms like Binance, Coinbase, and Gemini. More than 100 victims have been successfully phished so far.
The phishing pages are cleverly designed to display fake login screens only after the victim completes a CAPTCHA test using hCaptcha, thwarting automated analysis tools. Some pages are distributed via unsolicited phone calls and text messages, masquerading as customer support representatives addressing security concerns after a purported hack.
Upon entering credentials, victims are prompted for two-factor authentication (2FA) codes or are asked to “wait” under the guise of verification. The kit offers customization options, such as displaying the victim’s actual phone number digits and selecting the length of the token requested, enhancing the illusion of legitimacy.
Once victims input their one-time passwords (OTPs), threat actors capture the information to access the targeted online service. The phishing kit allows redirection to various pages, including legitimate login pages or customized messages, adding to its deceptive nature.
Lookout identified similarities between this campaign and that of Scattered Spider, particularly in impersonating Okta and using previously identified domains. However, differences in capabilities and infrastructure suggest distinct operations.
Meanwhile, in Canada, a new phishing-as-service (PhaaS) group called LabHost has emerged, surpassing its competitor Frappo in popularity. LabHost employs a real-time campaign management tool, LabRat, to execute adversary-in-the-middle (AiTM) attacks and capture credentials and 2FA codes. Additionally, LabSend, an SMS spamming tool, facilitates mass distribution of phishing links for smishing campaigns.
LabHost services offer features like ready-to-use templates, real-time campaign management, and SMS lures, enabling threat actors to target a variety of financial institutions effectively.
The success of these campaigns lies in the combination of high-quality phishing URLs, convincing login pages, a sense of urgency, and consistent communication via SMS and voice calls. It remains unclear whether these activities stem from a single threat actor or multiple groups utilizing a common tool.
