Lookout announced the discovery of an advanced phishing kit, CryptoChameleon, which exhibits tactics that target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. The intended targets, mostly users of cryptocurrency and single sign-on (SSO) services in the United States, also include Binance and Coinbase employees. Leveraging the CryptoChameleon phishing kit, bad actors utilize text messages and voice calls where they personally reach out to the victim to build a sense of trust while encouraging them to follow the steps of the attack. This has resulted in a high success rate, leading to the collection of quality data, including usernames, passwords, password reset URLs and even photo IDs.  Lookout customers who have Phishing Content Protection (PCP) were protected against CryptoChameleon. 

This new phishing kit emulates techniques that have been used by the Scattered Spider cybercriminal group. Operators behind the kit have successfully duplicated pages for solutions like Okta, Outlook and Google, which means it could be used to target any organization that uses these solutions as their SSO provider. Based on conversations that the Lookout security research team had with several victims, CryptoChameleon uses phone numbers and websites that appear legitimate and reflect a real company's support team. While CryptoChameleon follows similar tactics, there are enough differences to indicate that this is likely not Scattered Spider operating the kit and could be a different criminal group or several individual actors.

This style of attack is one that Lookout has been observing and analyzing closely as it continues to increase in frequency and become more prevalent. With more corporate data residing in the cloud and a change in how users interact with that data, an increasing number of bad actors are now leveraging social engineering, targeting a user's mobile phone to steal credentials that provide legitimate and immediate access to critical corporate data as part of the modern cyber kill chain. Lookout data shows that every quarter, between 23% and 26% of mobile users tapped on at least one phishing link in 2023. And the discovery of CryptoChameleon represents another significant shift in the continued evolution of this kill chain.

"We're seeing a trend of financially motivated threat actors - who typically target cryptocurrency and direct financial fraud - move into breaching enterprise and government organizations for ransom," said David Richardson, Vice President of Endpoint and Threat Intelligence, Lookout. "We urge cryptocurrency and single-sign-on users and organizations to take steps to protect their devices, work and personal data."

CryptoChameleon highlights:

• The phishing kit first asks the victim to complete a captcha using hCaptcha. This is a tactic that prevents automated analysis tools from crawling and identifying the phishing site. 
• Unlike typical phishing kits, which attempt to harvest credentials as quickly as possible, CryptoChameleon is aware of modern security controls organizations have put in place such as multi-factor authentication and allows bad actors to respond accordingly.
• While the version of CryptoChameleon targeted at the FCC impersonates the FCC's specific Okta page by default, the kit can impersonate many different companies' brands and authentication processes.
• Lookout also found Okta impersonation pages that target employees of Binance and Coinbase, but the majority of the sites seemed to target users of cryptocurrency and SSO services. 
• Based on the phishing site characteristics, Lookout researchers have identified more than 250 phishing sites using this kit with more being found every day. 
• Since initially discovering the phishing kit, Lookout has seen evidence that hundreds of victims have been impacted by the attack. 

Lookout Mobile Endpoint Security customers have been protected against these phishing sites since before the February 2024 discovery, based on insights from parallels and similar infrastructure of previous attacks. Lookout will continue to track the general behaviors and techniques used by this and other criminal groups to ensure protection against additional sites that use this kit and will continue to update protections for customers through automated means as necessary.