Hacking instances are rampant across the globe, and this time, the target is none other than the Federal Communications Commission or FCC. There’s a new kid on the block named CryptoChameleon, and this brand-new phishing kit is being used to attack the FCC employees. Basically, the threat actors are using CryptoChameleon to come up with SSO pages that resemble Okta to a great extent.
The same phishing kit is also being actively used to attack the cryptocurrency platform employees and users, namely Coinbase, Gemini, Kraken, and so on. The phishing actors are using CryptoChameleon to impersonate biggies such as iCloud, Twitter, Gmail, AOL, etc.
Image sourced from techopedia.com
Although the investigation is hinting towards the notorious Scattered Spider hacking group, there’s not enough evidence to prove them to be the mastermind behind this malicious campaign.
How Exactly Does The Attack Happen?
Here’s how the threat actors design the malicious attack at multiple stages:
- Initially, they register the domains which look close to the original entities. For example, they came up with a domain called “fcc-okta(.)com,” which has just one character difference when compared to the OG sign-on page.
- Next, the threat actors design a complicated social engineering attack that consists of SMSes, voice phishing, and emails. The phishing actors call, text, or send emails and pretend to be someone from the customer care department. They will redirect the naive user to a phishing site in the pretext of helping them to “recover” their lost account.
- They can also send out texts pretending to be warning signs for suspicious login alerts, as they did in the case of Coinbase.
- When a user reaches the malicious site, they are asked to solve a CAPTCHA quiz. The CAPTCHA challenge further wins the trust of the naive user, thus eliminating any traces of suspicion.
- Once the CAPTCHA is solved, a fake page appears on the screen that looks exactly the same as the original page.
- CryptoChameleon helps the threat actors to communicate with the users in real time. This further helps the cybercriminals to go ahead and ask for sensitive details such as MFA codes. The phishing actors can also customize the fake pages so that users are compelled to share their personal data, such as phone numbers.
- At last, the user is diverted to a false portal, which states that the account in question is still under review. This buys some more time for the cybercriminals so that they can create more damage.
Aftermath Of The Phishing Scam!
As per the investigation by cybercrime experts, almost 100 users have fallen prey to this scam so far. Threat actors have been leveraging Hostinger and Hostwinds to host their fake phishing pages since 2023. But then they shifted the gear to RetnNet, the Russia-based hosting site.
The strategic movement of the scamsters and their organized planning and execution hints towards the involvement of organized phishing teams. Cyber experts are looking into the matter and trying to find the perpetrator involved in this large-scale, global phishing scam.
Enhancing phishing protection measures is imperative in safeguarding individuals and organizations against such sophisticated attacks. Implementing robust cybersecurity protocols and conducting phishing awareness training about phishing threats can contribute significantly to thwarting future attempts and securing sensitive information.