CryptoChameleon Phishing Kit Targets FCC Staff

Lookout has reported that the new phishing toolkit, CryptoChameleon, has become a tool for attacks against employees of the Federal Communications Commission (FCC), utilizing a counterfeit Okta authentication system.

The campaign targets users and employees of cryptocurrency platforms, including Binance, Coinbase, Kraken, and Gemini, employing phishing pages that mimic Okta, Gmail, iCloud, Outlook, X, Yahoo, and AOL.

Malefactors orchestrate intricate phishing and social engineering attacks, encompassing email, SMS, and voice phishing (vishing), to deceitfully compel victims to enter confidential information on counterfeit pages, such as usernames, passwords, and even passport photographs.

CryptoChameleon phishing toolkit

The attackers prepare for the assault by first registering domains closely resembling those of legitimate sites. For instance, the FCC created a domain “fcc-okta[.]com”, differing by only one character from the genuine FCC Single Sign-On (SSO) page through Okta.

Attackers may call, email, or text targets, posing as customer support, and direct them to a phishing site for “account recovery.” On the fraudulent site, victims are met with a CAPTCHA, which Lookout states serves as both a bot filter and adds credibility to the process. After passing the CAPTCHA, visitors find a well-designed phishing page, appearing as a replica of the real Okta login page.

From left to right: CAPTCHA verification page, phishing FCC page, and a fake waiting page.

The CryptoChameleon phishing kit allows cybercriminals to interact with victims in real-time, facilitating scenarios such as requesting multi-factor authentication (MFA) codes to hijack the target’s account.

The central control panel of the phishing process enables the attacker to customize the phishing page, including the victim’s phone number, making MFA code requests more plausible.

Upon completing the phishing process, the victim may be redirected to the genuine login system or to a counterfeit portal, claiming their account is under review. Both routing options are used to lower suspicions and provide the attacker more time to exploit the stolen information.

Delving deeper, Lookout gained insight into additional targets within the cryptocurrency space by analyzing the phishing kit and finding corresponding baits. Researchers also obtained short-term access to the attackers’ backend logs, confirming that the campaign led to high-value compromises.

Experts estimate that cybercriminals conducted phishing attacks on over 100 victims. Many of the sites remain active, continuing to fish for more credentials each hour.

The primary hosts for the phishing pages at the end of 2023 were Hostwinds and Hostinger, but later the fraudsters switched to the RetnNet data transmission network, offering a longer operational period for such sites.

The lookout was unable to determine whether CryptoChameleon is exclusively used by a single threat actor or leased to multiple groups. Regardless of who is behind the phishing kit, its advanced nature, targeting strategy, communication methods of the operators, and the high quality of the phishing materials underscore the impact the service can have on target organizations.