Lookout Discovers Advanced Phishing Kit Targeting U.S. Federal Agency and Cryptocurrency Exchange Organizations

Business Wire

Thu, Feb 29, 2024, 8:00 AM4 min read

In this article:

Threat Actor Emulates Scattered Spider Group and Takes Unique Approach to Collect Login Credentials

BOSTON, February 29, 2024--(BUSINESS WIRE)--Lookout, Inc., the data-centric cloud security company, today announced the discovery of an advanced phishing kit, CryptoChameleon, which exhibits tactics that target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. The intended targets, mostly users of cryptocurrency and single sign-on (SSO) services in the United States, also include Binance and Coinbase employees. Leveraging the CryptoChameleon phishing kit, bad actors utilize text messages and voice calls where they personally reach out to the victim to build a sense of trust while encouraging them to follow the steps of the attack. This has resulted in a high success rate, leading to the collection of quality data, including usernames, passwords, password reset URLs and even photo IDs. Lookout customers who have Phishing Content Protection (PCP) were protected against CryptoChameleon.

This new phishing kit emulates techniques that have been used by the Scattered Spider cybercriminal group. Operators behind the kit have successfully duplicated pages for solutions like Okta, Outlook and Google, which means it could be used to target any organization that uses these solutions as their SSO provider. Based on conversations that the Lookout security research team had with several victims, CryptoChameleon uses phone numbers and websites that appear legitimate and reflect a real company’s support team. While CryptoChameleon follows similar tactics, there are enough differences to indicate that this is likely not Scattered Spider operating the kit and could be a different criminal group or several individual actors.

This style of attack is one that Lookout has been observing and analyzing closely as it continues to increase in frequency and become more prevalent. With more corporate data residing in the cloud and a change in how users interact with that data, an increasing number of bad actors are now leveraging social engineering, targeting a user’s mobile phone to steal credentials that provide legitimate and immediate access to critical corporate data as part of the modern cyber kill chain. Lookout data shows that every quarter, between 23% and 26% of mobile users tapped on at least one phishing link in 2023. And the discovery of CryptoChameleon represents another significant shift in the continued evolution of this kill chain.

"We’re seeing a trend of financially motivated threat actors – who typically target cryptocurrency and direct financial fraud – move into breaching enterprise and government organizations for ransom," said David Richardson, Vice President of Endpoint and Threat Intelligence, Lookout. "We urge cryptocurrency and single-sign-on users and organizations to take steps to protect their devices, work and personal data."

CryptoChameleon highlights:

The phishing kit first asks the victim to complete a captcha using hCaptcha. This is a tactic that prevents automated analysis tools from crawling and identifying the phishing site.
Unlike typical phishing kits, which attempt to harvest credentials as quickly as possible, CryptoChameleon is aware of modern security controls organizations have put in place such as multi-factor authentication and allows bad actors to respond accordingly.
While the version of CryptoChameleon targeted at the FCC impersonates the FCC’s specific Okta page by default, the kit can impersonate many different companies’ brands and authentication processes.
Lookout also found Okta impersonation pages that target employees of Binance and Coinbase, but the majority of the sites seemed to target users of cryptocurrency and SSO services.
Based on the phishing site characteristics, Lookout researchers have identified over 250 phishing sites using this kit with more being found every day.
Since initially discovering the phishing kit, Lookout has seen evidence that hundreds of victims have been impacted by the attack.

Lookout Mobile Endpoint Security customers have been protected against these phishing sites since before the February 2024 discovery, based on insights from parallels and similar infrastructure of previous attacks. Lookout will continue to track the general behaviors and techniques used by this and other criminal groups to ensure protection against additional sites that use this kit and will continue to update protections for customers through automated means as necessary.

Additional Resources:

Learn more about the Lookout Mobile Endpoint Security and the Lookout Threat Lab.
Listen and subscribe to Security Soapbox, the Lookout podcast covering privacy, security, and everything in between.

About Lookout

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves. People — and human behavior — are central to the challenge of protecting data, which is why organizations need total visibility into threats in real time. The Lookout Cloud Security Platform is purpose-built to stop modern breaches as swiftly as they unfold, from the first phishing text to the final cloud data extraction. We are trusted by enterprises and government agencies of all sizes to protect the sensitive data they care about most, enabling them to work and connect freely and securely. To learn more, visit www.lookout.com and follow Lookout on our blog, LinkedIn and X.

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.

View source version on businesswire.com: https://www.businesswire.com/news/home/20240229649241/en/

Contacts

Lookout PR: press@lookout.com

Forget Nvidia: Members of Congress Are Scooping Up Shares of Its Core Rival Instead
There's a much more popular AI stock on Capitol Hill than the leading AI chip maker.
Motley Fool•9h ago
Trump to set interest rates himself under secret presidential plan
Donald Trump’s aides have drawn up secret plans to oust the chairman of the Federal Reserve and allow the president to set interest rates, according to reports.
The Telegraph•1d ago
Nvidia Owns a 3.4% Stake in This Innovative Artificial Intelligence (AI) Stock Cathie Wood Loves
The $50 million purchase could turn into Nvidia's biggest investment.
Motley Fool•5h ago
Housing supply surges by up to 50% in these metro areas — and many sellers are being forced to slash their asking prices
The property report includes 85 major metropolitan areas in the U.S. with populations of at least 750,000.
MarketWatch•1d ago
2 Stock-Split Stocks to Buy Hand Over Fist Right Now
These proven wealth builders could be exactly what you're searching for right now.
Motley Fool•1d ago
Walmart CEO started his career unloading trailers at the warehouse—he says he got promotion after promotion by raising his hand when his boss was out of town
Walmart's CEO went from earning $6.50 an hour to $25 million a year—here are his three tips for climbing the corporate ladder like him
Fortune•1d ago
Why I Just Added This Ultra-High-Yield Dividend ETF to My Retirement Account
The JPMorgan Nasdaq Equity Premium Income ETF offers a compelling blend of income and upside to my portfolio.
Motley Fool•11h ago
Worried About a Stock Market Sell-Off? Buy This Top Vanguard ETF
There are benefits to investing in stocks that have reasonable multiples and aren't as dependent on future earnings growth to justify their valuations.
Motley Fool•5h ago
U.S. panic over national debt might mark a culture shift—are Americans becoming more ‘European’ about money?
Jamie Dimon and Jerome Powell are taking the European viewpoint on soaring debt levels in the U.S.
Fortune•1d ago
Analysts revamp Microsoft stock price target after earnings
Here's what could happen next to Microsoft shares.
TheStreet•19h ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Yahoo Finance

Lookout Discovers Advanced Phishing Kit Targeting U.S. Federal Agency and Cryptocurrency Exchange Organizations

Recommended Stories

Forget Nvidia: Members of Congress Are Scooping Up Shares of Its Core Rival Instead

Trump to set interest rates himself under secret presidential plan

Nvidia Owns a 3.4% Stake in This Innovative Artificial Intelligence (AI) Stock Cathie Wood Loves

Housing supply surges by up to 50% in these metro areas — and many sellers are being forced to slash their asking prices

2 Stock-Split Stocks to Buy Hand Over Fist Right Now

Walmart CEO started his career unloading trailers at the warehouse—he says he got promotion after promotion by raising his hand when his boss was out of town

Why I Just Added This Ultra-High-Yield Dividend ETF to My Retirement Account

Worried About a Stock Market Sell-Off? Buy This Top Vanguard ETF

U.S. panic over national debt might mark a culture shift—are Americans becoming more ‘European’ about money?

Analysts revamp Microsoft stock price target after earnings