New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials

Threat actors employ phishing scams to trick individuals into giving away important details like login credentials or financial data. 

It is a method of cheating human confidence due to social engineering, making it cheap and hence widely used as a case for unauthorized access and ID theft.

Cybersecurity researchers at Lookout recently discovered that threat actors are actively using the new SSO-based phishing attack to trick users into sharing their login credentials.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Technical Analysis

A new phishing kit was found recently by Lookout that targets crypto and the Federal Communications Commission (FCC) on mobiles. 

It’s been inspired by Scattered Spider, as it clones SSO pages by employing email, SMS, and voice phishing to trick victims into sharing credentials and IDs. 

Besides this, it’s been noted that it primarily affects the victims of the United States.

Here below, we have mentioned all the platforms and organizations from where all the victims were targeted:-

  • Federal Communications Commission (FCC)
  • Binance
  • Coinbase
  • Binance
  • Coinbase
  • Gemini
  • Kraken
  • ShakePay
  • Caleb & Brown
  • Trezor
  • AOL
  • Gmail
  • iCloud
  • Okta
  • Outlook
  • Twitter
  • Yahoo

Lookout spotted the phishing kit via automated analysis of a suspicious domain that resembled Scattered Spider’s pattern noted by CISA. 

The suspicious domain, “fcc-okta[.]com,” is similar to the FCC’s legit SSO page. This domain tricks victims with a captcha to evade detection and adds credibility.

Captcha

After the captcha, the fake FCC Okta page delays the victims. Unlike regular phishing kits rushing for credentials, it adapts to modern security with MFA awareness. 

Replica of the official Okta page

Lookout found an admin console monitoring the phishing page. Couldn’t access it directly, but got indirect access to its JavaScript and CSS. 

Each victim entry adds a new row to a table, and the threat actor selects where to send victims after login. 

Besides this, the redirects are based on the MFA request type, like an authenticator app or SMS.

When sending a Multi-Factor Authentication token, the sender can fuzz details like the victim’s number last digits, and 6 or 7 digit code.

The phishing kit investigation unveils the crypto and SSO focus. While the kit mimics the FCC Okta and various brands. 

The Lookout IDs sites found using the kit and mainly under official-server[.]com C2. In this event, it’s been noted that the Binance and Coinbase employees are targeted and among them, Coinbase is the most targeted. 

Besides this, the new domains have been linked to original-backend[.]com since Feb 21. The lookout researchers gained brief access to backend logs by noting high-quality stolen credentials.

Fake Coinbase Login Page

Over 100 victims were phished, and the active sites are still collecting data. The phishing kit files include the C2 URL, logic for data collection, and style sheets. 

The victims describe the threat actor as “American” and skilled. While the attack targets mobile devices, mainly iOS and Android in the US.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits that deliver via phishing kits with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

2 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

2 days ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

2 days ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

2 days ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

2 days ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

2 days ago