Saturday, April 13, 2024

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like login credentials or financial data. 

It is a method of cheating human confidence due to social engineering, making it cheap and hence widely used as a case for unauthorized access and ID theft.

Cybersecurity researchers at Lookout recently discovered that threat actors are actively using the new SSO-based phishing attack to trick users into sharing their login credentials.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Technical Analysis

A new phishing kit was found recently by Lookout that targets crypto and the Federal Communications Commission (FCC) on mobiles. 

It’s been inspired by Scattered Spider, as it clones SSO pages by employing email, SMS, and voice phishing to trick victims into sharing credentials and IDs. 

Besides this, it’s been noted that it primarily affects the victims of the United States.

Here below, we have mentioned all the platforms and organizations from where all the victims were targeted:-

  • Federal Communications Commission (FCC)
  • Binance
  • Coinbase
  • Binance
  • Coinbase
  • Gemini
  • Kraken
  • ShakePay
  • Caleb & Brown
  • Trezor
  • AOL
  • Gmail
  • iCloud
  • Okta
  • Outlook
  • Twitter
  • Yahoo

Lookout spotted the phishing kit via automated analysis of a suspicious domain that resembled Scattered Spider’s pattern noted by CISA. 

The suspicious domain, “fcc-okta[.]com,” is similar to the FCC’s legit SSO page. This domain tricks victims with a captcha to evade detection and adds credibility.


After the captcha, the fake FCC Okta page delays the victims. Unlike regular phishing kits rushing for credentials, it adapts to modern security with MFA awareness. 

Replica of the official Okta page

Lookout found an admin console monitoring the phishing page. Couldn’t access it directly, but got indirect access to its JavaScript and CSS. 

Each victim entry adds a new row to a table, and the threat actor selects where to send victims after login. 

Besides this, the redirects are based on the MFA request type, like an authenticator app or SMS.

When sending a Multi-Factor Authentication token, the sender can fuzz details like the victim’s number last digits, and 6 or 7 digit code.

The phishing kit investigation unveils the crypto and SSO focus. While the kit mimics the FCC Okta and various brands. 

The Lookout IDs sites found using the kit and mainly under official-server[.]com C2. In this event, it’s been noted that the Binance and Coinbase employees are targeted and among them, Coinbase is the most targeted. 

Besides this, the new domains have been linked to original-backend[.]com since Feb 21. The lookout researchers gained brief access to backend logs by noting high-quality stolen credentials.

Fake Coinbase Login Page

Over 100 victims were phished, and the active sites are still collecting data. The phishing kit files include the C2 URL, logic for data collection, and style sheets. 

The victims describe the threat actor as “American” and skilled. While the attack targets mobile devices, mainly iOS and Android in the US.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits that deliver via phishing kits with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles