Rewterz Threat Alert – New Phishing Kit Targets Cryptocurrency Users via Voice Calls and SMS – Active IOCs

Severity

High

Analysis Summary

A new phishing kit has emerged that is targeting cryptocurrency users by posing as the login pages of famous cryptocurrency services as part of an attack cluster that is dubbed CryptoChameleon, made to especially target mobile devices.

This phishing kit allows threat actors to create duplicates of single sign-on (SSO) pages and use a combination of SMS, email, and voice phishing to lure the targeted user into giving up their passwords, usernames, password reset URLs, and photo IDs. The targeted users are mostly from the United States and include the employees of the Federal Communications Commission (FCC), Coinbase, and Binance, as well as the cryptocurrency users of several platforms such as Gemini, Coinbase, Kraken, Binance, ShakePlay, Trezor, and Caleb & Brown. Over 100 victims have been the victims of this campaign so far.

“This phishing kit first asks the victim to complete a captcha using hCaptcha. This is a novel tactic that prevents automated analysis tools from crawling and identifying the phishing site. It may also give the illusion of credibility to the victim, as typically only legitimate sites use captcha,” said the security analysts.

Sometimes, these phishing pages are distributed through text messages and phone calls by pretending to be a company’s customer support team and faking to secure the target’s account after a so-called hack. After the user gives their credentials, they are either asked to wait while the actor claims to verify the information or to provide a two-factor authentication (2FA) code. The threat actor likely tries to log in using the provided credentials in real-time before redirecting the victim to the appropriate page, depending on the additional information that is required by the MFA service that the cybercriminal is attempting to access.

The kit also tries to look genuine by letting the operator customize the phishing page in real time by showing the last two digits of the targeted user’s phone number and selecting if the victim should provide a six or seven-digit token. The one-time password that is entered by the unsuspecting user is then used by the threat actor to sign in to the online service they are trying to access using the provided token. Finally, the targeted user is redirected to any website that the threat actor wants to choose, like the legitimate Okta login page or a page displaying customized messages.

Security researchers noticed that CryptoChameleon’s mode of operating is closely similar to the techniques used by Scattered Spider, especially the way it pretends to be Okta and the domains used have been identified before as linked with the group. However, there are significantly different capabilities and C2 infrastructure present in the phishing kit. The type of copycatting used is pretty common between threat actor groups, especially with the tactics, techniques, and procedures (TTPs) that have had a lot of public success.

It is unclear right now whether a single threat actor is behind this phishing kit or if it is a common tool that is used by different threat groups. The combination of having a consistent connection via voice calls and SMS, a sense of urgency, and the high-quality phishing URLs and login pages that perfectly impersonate legitimate sites is the reason why the attackers have been so successful in stealing data.

Impact

• Credential Theft
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

Domain Name

• 07159889-coinbase.com
• 10195-coinbase.com
• 11248-coinbase.com
• 11472-coinbase.com
• 13247-icloud.com
• 17334522-kraken.com
• 18275-gemini.com
• 19287-binance.com
• 2fas-coinbase.com
• accountrecovery-coinbase.com
• authorize-gmail.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Implement ongoing phishing awareness training for partners and staff.
• Implement a web application firewall to filter out malicious traffic and protect against common web-based threats. 
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Be vigilant and thoroughly check the URL to see if it’s legitimate before downloading apps.