Federal Communications Commission (FCC) employees and cryptocurrency platforms have been targeted in mobile device phishing attacks employing a novel and advanced kit, cybersecurity firm Lookout warns.
Using the new kit, attackers create carbon copies of single sign-on (SSO) pages that trick victims into sharing their login credentials using a combination of email, SMS and vishing (voice phishing).
The same tactics have been used to obtain password reset URLs and photo IDs, with hundreds of individuals, mostly in the United States, already victimized.
FCC employees, Lookout reveals, were lured to a phishing page on fcc-okta[.]com, which mimics the legitimate FCC SSO page, where they were asked to complete a captcha using hCaptcha, creating the illusion of legitimacy.
Next, the victim was prompted to provide their username and password, and then asked to either wait, sign in, or provide a multi-factor authentication (MFA) token, based on a series of options the phishing page’s administrators could use in real time.
According to Lookout, an administrator monitoring the page could view the provided credentials in a table and was likely attempting to validate them by logging in on the legitimate page.
If additional information was needed, the administrator could then customize the phishing page accordingly, to obtain MFA codes or SMS-based tokens, the last digits of the victim’s phone number, and other details.
After attempting to sign in, the operator could then redirect the victim to any page, including the real sign in portal, or a custom page to keep the victim waiting, such as one telling “the victim that their account is under review and to try to log in later at a time specified by the operator,” Lookout explains.
Based on the identified references to cryptocurrency platforms and SSO services, the cybersecurity firm believes that the phishing kit can impersonate numerous brands, including pages targeting the employees and users of Binance and Coinbase.
“A high percentage of the credentials collected by these sites look like legitimate email addresses, passwords, OTP tokens, password reset URLs, photos of driver’s licenses and more. The sites seem to have successfully phished more than 100 victims, based on the logs observed,” Lookout notes.
While the FCC SSO page was taken down, most of the identified phishing sites continue to operate. Some of them have been active since November 2023, hosted by various providers, including Hostwinds, Hostinger, and RetnNet.
The attacks show similarities with the operations of a threat actor known as Scattered Spider, but Lookout believes that this phishing campaign is operated by a different, likely copycat group, based on differences in infrastructure and capabilities.
Related: Russian APT Known for Phishing Attacks Is Also Developing Malware, Google Warns
Related: US Government Releases Anti-Phishing Guidance
Related: US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
