Saturday, September 7, 2024
HomeCyber AttackNew SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Published on

Threat actors employ phishing scams to trick individuals into giving away important details like login credentials or financial data. 

It is a method of cheating human confidence due to social engineering, making it cheap and hence widely used as a case for unauthorized access and ID theft.

Cybersecurity researchers at Lookout recently discovered that threat actors are actively using the new SSO-based phishing attack to trick users into sharing their login credentials.

- Advertisement - EHA

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Technical Analysis

A new phishing kit was found recently by Lookout that targets crypto and the Federal Communications Commission (FCC) on mobiles. 

It’s been inspired by Scattered Spider, as it clones SSO pages by employing email, SMS, and voice phishing to trick victims into sharing credentials and IDs. 

Besides this, it’s been noted that it primarily affects the victims of the United States.

Here below, we have mentioned all the platforms and organizations from where all the victims were targeted:-

  • Federal Communications Commission (FCC)
  • Binance
  • Coinbase
  • Binance
  • Coinbase
  • Gemini
  • Kraken
  • ShakePay
  • Caleb & Brown
  • Trezor
  • AOL
  • Gmail
  • iCloud
  • Okta
  • Outlook
  • Twitter
  • Yahoo

Lookout spotted the phishing kit via automated analysis of a suspicious domain that resembled Scattered Spider’s pattern noted by CISA. 

The suspicious domain, “fcc-okta[.]com,” is similar to the FCC’s legit SSO page. This domain tricks victims with a captcha to evade detection and adds credibility.

Captcha

After the captcha, the fake FCC Okta page delays the victims. Unlike regular phishing kits rushing for credentials, it adapts to modern security with MFA awareness. 

Replica of the official Okta page

Lookout found an admin console monitoring the phishing page. Couldn’t access it directly, but got indirect access to its JavaScript and CSS. 

Each victim entry adds a new row to a table, and the threat actor selects where to send victims after login. 

Besides this, the redirects are based on the MFA request type, like an authenticator app or SMS.

When sending a Multi-Factor Authentication token, the sender can fuzz details like the victim’s number last digits, and 6 or 7 digit code.

The phishing kit investigation unveils the crypto and SSO focus. While the kit mimics the FCC Okta and various brands. 

The Lookout IDs sites found using the kit and mainly under official-server[.]com C2. In this event, it’s been noted that the Binance and Coinbase employees are targeted and among them, Coinbase is the most targeted. 

Besides this, the new domains have been linked to original-backend[.]com since Feb 21. The lookout researchers gained brief access to backend logs by noting high-quality stolen credentials.

Fake Coinbase Login Page

Over 100 victims were phished, and the active sites are still collecting data. The phishing kit files include the C2 URL, logic for data collection, and style sheets. 

The victims describe the threat actor as “American” and skilled. While the attack targets mobile devices, mainly iOS and Android in the US.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits that deliver via phishing kits with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...