SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like login credentials or financial data. 

It is a method of cheating human confidence due to social engineering, making it cheap and hence widely used as a case for unauthorized access and ID theft.

Cybersecurity researchers at Lookout recently discovered that threat actors are actively using the new SSO-based phishing attack to trick users into sharing their login credentials.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Technical Analysis

A new phishing kit was found recently by Lookout that targets crypto and the Federal Communications Commission (FCC) on mobiles. 

It’s been inspired by Scattered Spider, as it clones SSO pages by employing email, SMS, and voice phishing to trick victims into sharing credentials and IDs. 

Besides this, it’s been noted that it primarily affects the victims of the United States.

Here below, we have mentioned all the platforms and organizations from where all the victims were targeted:-

  • Federal Communications Commission (FCC)
  • Binance
  • Coinbase
  • Binance
  • Coinbase
  • Gemini
  • Kraken
  • ShakePay
  • Caleb & Brown
  • Trezor
  • AOL
  • Gmail
  • iCloud
  • Okta
  • Outlook
  • Twitter
  • Yahoo

Lookout spotted the phishing kit via automated analysis of a suspicious domain that resembled Scattered Spider’s pattern noted by CISA. 

The suspicious domain, “fcc-okta[.]com,” is similar to the FCC’s legit SSO page. This domain tricks victims with a captcha to evade detection and adds credibility.

Captcha

After the captcha, the fake FCC Okta page delays the victims. Unlike regular phishing kits rushing for credentials, it adapts to modern security with MFA awareness. 

Replica of the official Okta page

Lookout found an admin console monitoring the phishing page. Couldn’t access it directly, but got indirect access to its JavaScript and CSS. 

Each victim entry adds a new row to a table, and the threat actor selects where to send victims after login. 

Besides this, the redirects are based on the MFA request type, like an authenticator app or SMS.

When sending a Multi-Factor Authentication token, the sender can fuzz details like the victim’s number last digits, and 6 or 7 digit code.

The phishing kit investigation unveils the crypto and SSO focus. While the kit mimics the FCC Okta and various brands. 

The Lookout IDs sites found using the kit and mainly under official-server[.]com C2. In this event, it’s been noted that the Binance and Coinbase employees are targeted and among them, Coinbase is the most targeted. 

Besides this, the new domains have been linked to original-backend[.]com since Feb 21. The lookout researchers gained brief access to backend logs by noting high-quality stolen credentials.

Fake Coinbase Login Page

Over 100 victims were phished, and the active sites are still collecting data. The phishing kit files include the C2 URL, logic for data collection, and style sheets. 

The victims describe the threat actor as “American” and skilled. While the attack targets mobile devices, mainly iOS and Android in the US.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits that deliver via phishing kits with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Leave a Reply

Your email address will not be published. Required fields are marked *