New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials

Threat actors employ phishing scams to trick individuals into giving away important details like login credentials or financial data. 

It is a method of cheating human confidence due to social engineering, making it cheap and hence widely used as a case for unauthorized access and ID theft.

Recently cybersecurity researchers at Lookout discovered that threat actors are actively using the new SSO-based phishing attack to trick users into sharing their login credentials.

Technical Analysis

A new phishing kit was found recently by Lookout that targets crypto and the Federal Communications Commission (FCC) on mobiles. 

It’s been inspired by Scattered Spider, as it clones SSO pages by employing email, SMS, and voice phishing to trick victims into sharing credentials and IDs. 

Besides this, it’s been noted that it primarily affects the victims of the United States.

Here below we have mentioned all the platforms and organizations from where all the victims were targeted:-

  • Federal Communications Commission (FCC)
  • Binance
  • Coinbase
  • Binance
  • Coinbase
  • Gemini
  • Kraken
  • ShakePay
  • Caleb & Brown
  • Trezor
  • AOL
  • Gmail
  • iCloud
  • Okta
  • Outlook
  • Twitter
  • Yahoo

Lookout spotted the phishing kit via automated analysis of a suspicious domain which was found to be resembling Scattered Spider’s pattern noted by CISA. 

The suspicious domain, “fcc-okta[.]com,” is similar to FCC’s legit SSO page. This domain tricks victims with a captcha to evade the detection and this also adds credibility to it.

Captcha (Source – Lookout)

After the captcha, the fake FCC Okta page delays the victims. It adapts to modern security with MFA awareness, unlike regular phishing kits rushing for credentials. 

Replica of the official Okta page (Source – Lookout)

Lookout found an admin console monitoring the phishing page. Couldn’t access it directly, but got indirect access to its JavaScript and CSS. 

Each victim entry adds a new row to a table, and the threat actor selects where to send victims after login. 

Besides this, the redirects are based on the MFA request type, like an authenticator app or SMS.

When sending a Multi-Factor Authentication token, the sender can fuzz details like the victim’s number last digits, and 6 or 7 digit code.

The phishing kit investigation unveils the crypto and SSO focus. While the kit mimics the FCC Okta and various brands. 

The Lookout IDs sites found using the kit and mainly under official-server[.]com C2. In this event, it’s been noted that the Binance and Coinbase employees are targeted and among them, Coinbase is the most targeted. 

Besides this, the new domains have been linked to original-backend[.]com since Feb 21. The lookout researchers gained brief access to backend logs by noting high-quality stolen credentials.

Fake Coinbase Login Page (Source – Lookout)

Over 100 victims were phished, and the active sites are still collecting data. The phishing kit files include the C2 URL, logic for data collection, and style sheets. 

The victims describe the threat actor as “American” and skilled. While the attack targets mobile devices, mainly iOS and Android in the US.

Leave A Comment

Receive the latest news in your email
Table of content
Related articles