A new technical report published by Lookout's security research team on Feb 27th, 2024 reveals details on CryptoChameleon, an advanced phishing kit using novel tactics to target cryptocurrency platforms and users.
The report discloses how the phishing kit builds near-perfect spoofed login pages for services like Coinbase, Binance, and Gemini to steal user credentials. It then employs a combination of email, SMS, and voice phishing to trick victims into handing over usernames, passwords, two-factor authentication codes, and even photo IDs.
This blog post summarizes Lookout's key findings on CryptoChameleon - how it operates, who is behind it, and how users can stay protected. We also provide technical analysis on the phishing pages, backend infrastructure, and attribution details.
Lookout's phishing detection systems first caught wind of CryptoChameleon when they flagged a new domain registration - fcc-okta[.]com.
The domain closely impersonated the legitimate portal used by FCC (Federal Communications Commission) for single sign-on authentication through Okta - fcc.okta[.]com.
This pattern of mimicking company Okta pages with deceptive homographs matched techniques used by an Advanced Persistent Threat (APT) group tracked as Scattered Spider.
Scattered Spider has been linked with widespread phishing campaigns against government agencies, technology, and manufacturing sectors.
Upon accessing the fraudulent FCC domain, users had to complete a hCaptcha challenge proving they weren't bots.
Source: Lookout
This prevented security crawling and containment while establishing legitimacy for victims accessing the portal.
The login page mirrored FCC's actual Okta instance with great precision to capture user credentials securely. Victims would have no visual queues indicating foul play.
Source: Lookout
Interestingly, once usernames and passwords were submitted, CryptoChameleon redirected targets to a "loading" page instead of instantly capturing entered data.
In the background, threat actors used the stolen credentials in real-time to access target accounts. Depending on multi-factor controls enforced, the phishing system redirected users to customized pages asking for supplemental login factors like:
One-time passcodes
SMS/call based tokens
Photo ID submission
This dynamic redirection architecture minimized user suspicion while extracting maximum data to ensure account takeovers.
Source: Lookout
For example, the SMS token page tricked victims into handing over registered mobile numbers and whether they used 6 or 7 digit codes.
Such customizable credential harvesting at scale is highly uncommon and concerning for user privacy.
Source: Lookout
In other incidents, while victims accessed the phishing pages, attackers called them posing as authorized support reps guiding them through login using texts/voice calls.
Source: Lookout
This persistent social manipulation removed doubt victims may have on the legitimacy of SMS/call based challenges enabling complete account takeovers in many cases.
As Lookout analyzed, CryptoChameleon's unique combination of highly deceptive login portals complemented with technology and social engineering techniques gave it high success to steal hundreds of sets of cryptocurrency account credentials.
Lookout's report discloses a multi-stage process followed by attackers to ensure success in credential harvesting and account takeovers:
Threat actors register domains impersonating popular cryptocurrency apps and exchanges like Coinbase, Binance, Gemini etc. Email IDs and phone numbers are compiled for potential victims, mostly cryptocurrency holders in the US.
Relevant JavaScript, CSS and image files are embedded into phishing sites to perfectly mimic login portals tied to the brands they impersonate. For example coinbase-help[.]com instead of coinbase-help[.]com using near-identical homographs.
Phishing links are messaged to identified targets through SMS/email campaigns. Users accessing online accounts get trapped into completing browser captchas and handing over usernames, passwords on fake dologin pages.
To bypass two-factor authentication which cryptocurrency apps enforce, attackers dynamically redirect visitors through customized info-stealing routes after capturing usernames/passwords.
Victims input one-time-passcodes, SMS tokens, photo IDs which threat actors immediately use to access online wallets.
From phishing page dashboards, attackers siphon out authentication factors, personal information to access online accounts. Funds are drained out into attacker-controlled wallets for laundering.
As Lookout researchers uncovered, this unique use of technology blended with social engineering allows CryptoChameleon to successfully target and compromise hundreds of cryptocurrency users primarily based in the US.
The infrastructure analysis also traces early connections to the Russian-linked Scattered Spider hacker collective known for credential theft. While attribution remains fuzzy, overlaps in TTPs are concerns for the security community.
CryptoChameleon establishes phishing can be dangerously effective even against tech-savvy communities like cryptocurrency adopters. The use of captchas, logos, and homographs make it tough for average users to discern legitimacy of the pages they access.
As nation-state backed groups increasingly focus on credential compromise, users should follow best practices like enabling two-factor authentication using hardware tokens, being alert to SMS or call-based phishing attempts.
For enterprises, advanced threat intelligence coupled with technologies detecting known phishing infrastructure offer reliable safeguards against attacks like CryptoChameleon.
As Lookout states, continued tracking of threat actor behaviors and updating phishing site databases will be vital in this arms race. For individual users, remaining vigilant when accessing online accounts - especially in the fintech and cryptocurrency sector which offer rich rewards for attackers.
official-server[.]com
server694590423[.]tech
island-placid-bromine.glitch[.]me
circular-noon-farmhouse.glitch[.]me
talented-friendly-price.glitch[.]me
dflfmgsdokasdcpl[.]com
original-backend[.]com
07159889-coinbase[.]com
10195-coinbase[.]com
11246-coinbase[.]com
11247-coinbase[.]com
11248-coinbase[.]com
11258-coinbase[.]com
11259-coinbase[.]com
113912-coinbase[.]com
11472-coinbase[.]com
11923-coinbase[.]com
11957-coinbase[.]com
128147-coinbase[.]com
12958-coinbase[.]com
12984-okta[.]com
12985-coinbase[.]com
13130-coinbase[.]com
13247-coinbase[.]com
13247-icloud[.]com
13267-coinbase[.]com
146271510-coinbase[.]com
146282-coinbase[.]com
146284-coinbase[.]com
147260-coinbase[.]com
14765-coinbase[.]com
14817582-coinbase[.]com
14871904-coinbase[.]com
14891902-coinbase[.]com
1492864-coinbase[.]com
158312-coinbase[.]com
158372-coinbase[.]com
158702-coinbase[.]com
16171675-coinbase[.]com
16171832-coinbase[.]com
16178234-coinbase[.]com
16178237-coinbase[.]com
16178434-coinbase[.]com
162178-coinbase[.]com
162478-coinbase[.]com
162782-coinbase[.]com
162812-coinbase[.]com
162814-coinbase[.]com
16442580-coinbase[.]com
16450107-coinbase[.]com
16450207-coinbase[.]com
16458207-coinbase[.]com
16478202-coinbase[.]com
164872942-coinbase[.]com
16590-coinbase[.]com
16594373-coinbase[.]com
16624831-coinbase[.]com
16642124-coinbase[.]com
16642172-coinbase[.]com
16642580-coinbase[.]com
16642721-coinbase[.]com
16642724-coinbase[.]com
16642871-coinbase[.]com
16642872-coinbase[.]com
16712942-coinbase[.]com
16718672-coinbase[.]com
16728342-coinbase[.]com
16728348-coinbase[.]com
16728442-coinbase[.]com
16728472-coinbase[.]com
167285-coinbase[.]com
16729042-coinbase[.]com
16748272-coinbase[.]com
16782942-coinbase[.]com
16827420-coinbase[.]com
16827423-coinbase[.]com
16847145-coinbase[.]com
16893924-coinbase[.]com
17182-coinbase[.]com
17255030-coinbase[.]com
17259-kraken[.]com
172486-coinbase[.]com
17284652-coinbase[.]com
17286-coinbase[.]com
17334522-coinbase[.]com
17334522-kraken[.]com
17384522-coinbase[.]com
173912-coinbase[.]com
17494976-coinbase[.]com
17512854-coinbase[.]com
17512857-coinbase[.]com
1751954-coinbase[.]com
17525030-coinbase[.]com
17529580-coinbase[.]com
17614-coinbase[.]com
17618412-coinbase[.]com
17619-coinbase[.]com
176284-coinbase[.]com
17823920-coinbase[.]com
178253-coinbase[.]com
178294-coinbase[.]com
17912-coinbase[.]com
17914-coinbase[.]com
17917-coinbase[.]com
17954-coinbase[.]com
17958-coinbase[.]com
182043-coinbase[.]com
18275-gemini[.]com
18276-coinbase[.]com
18290185-coinbase[.]com
182967-coinbase[.]com
18560-coinbase[.]com
18571-coinbase[.]com
185912-coinbase[.]com
185914-coinbase[.]com
18592176-coinbase[.]com
18594162-coinbase[.]com
18594962-coinbase[.]com
18597162-coinbase[.]com
18719562-coinbase[.]com
1875290-coinbase[.]com
1882730-coinbase[.]com
18902-coinbase[.]com
18903-coinbase[.]com
189126-coinbase[.]com
18952-coinbase[.]com
192854-coinbase[.]com
192856-coinbase[.]com
19287-binance[.]com
19572-coinbase[.]com
195812-coinbase[.]com
195826-coinbase[.]com
1958262-coinbase[.]com
195827-binance[.]com
1958297-coinbase[.]com
19582970-coinbase[.]com
19582971-coinbase[.]com
19583-coinbase[.]com
19592653-coinbase[.]com
197304-coinbase[.]com
19730492-coinbase[.]com
19764162-coinbase[.]com
19803-coinbase[.]com
201784289-coinbase[.]com
210823644-coinbase[.]com
21158-coinbase[.]com
21509-coinbase[.]com
25985-coinbase[.]com
27699-coinbase[.]com
28367-coinbase[.]com
28676-coinbase[.]com
29185-coinbase[.]com
29195-coinbase[.]com
2a-coinbase[.]com
2b-coinbase[.]com
2c-coinbase[.]com
2f-coinbase[.]com
2fas-coinbase[.]com
2o-coinbase[.]com
2r-coinbase[.]com
2s-coinbase[.]com
2sv-coinbase[.]com
352134951-coinbase[.]com
38468-coinbase[.]com
39590-coinbase[.]com
41260-coinbase[.]com
427883-coinbase[.]com
43017-coinbase[.]com
47562-coinbase[.]com
50195-coinbase[.]com
5247-coinbase[.]com
54765-coinbase[.]com
57197-coinbase[.]com
58176-coinbase[.]com
58297-coinbase[.]com
61250-coinbase[.]com
61835-coinbase[.]com
61851-coinbase[.]com
61937-coinbase[.]com
71925-coinbase[.]com
72957-coinbase[.]com
72985-coinbase[.]com
74651-coinbase[.]com
754668948-coinbase[.]com
76159869-coinbase[.]com
76153-coinbase[.]com
81758-coinbase[.]com
81920-coinbase[.]com
81926-coinbase[.]com
81958-coinbase[.]com
826298-coinbase[.]com
83216-coinbase[.]com
837613-coinbase[.]com
83956-coinbase[.]com
87157-coinbase[.]com
87312-coinbase[.]com
89304-coinbase[.]com
89375-coinbase[.]com
91723-gemini[.]com
91752-coinbase[.]com
91756-coinbase[.]com
91782-coinbase[.]com
91835-coinbase[.]com
91845-coinbase[.]com
91923-coinbase[.]com
92758-coinbase[.]com
948122061-coinbase[.]com
978941-coinbase[.]com
accountrecovery-coinbase[.]com
action-shakepay[.]com
adjust-coinbase[.]com
admin-kraken[.]com
applechargebacks[.]com
authenticate-gemini[.]com
authorize-gmail[.]com
binance-okta[.]com
captcha-coinbase[.]com
cd-coinbase[.]com
coinbase-heip[.]com
coinbase-live[.]support
coinbase-reject[.]com
coinbase-ticket[.]com
coinbaseheip[.]com
com-2fa[.]help
com-2fa[.]support
com-3845[.]support
com-connect[.]help
com-fraud[.]support
com-help[.]support
com-reset[.]help
com-reset[.]net
com-ticket[.]live
com-ticket[.]support
contact-nexo[.]com
convert-coinbase[.]com
customerservice-coinbase[.]com
default-coinbase[.]com
defend-coinbase[.]com
deny-coinbase[.]com
disconnect-coinbase[.]com
escalate-coinbase[.]com
establish-coinbase[.]com
fcc-okta[.]com
fraudulent-coinbase[.]com
guard-apple[.]com
guard-icloud[.]com
guardian-coinbase[.]com
guide-gemini[.]com
help-bitfinex[.]com
help-shakepay[.]com
helpdesk-apple[.]com
helpdesk-gemini[.]com
helpdesk-icloud[.]com
identification-coinbase[.]com
lockdown-coinbase[.]com
login-nexo[.]com
keys-coinbase[.]com
messages-coinbase[.]com
newpassword-coinbase[.]com
prompt-coinbase[.]com
protect-apple[.]com
protect-coinbase[.]com
protect-gmail[.]com
protect-kraken[.]com
recoverme-coinbase[.]com
recoveryportal-coinbase[.]com
refunds-coinbase[.]com
reset-okta[.]com
restore-coinbase[.]com
return-coinbase[.]com
reverts-coinbase[.]com
secure-binance[.]us
secure-icloud[.]com
secure-nexo[.]com
secure-shakepay[.]com
security-umusic[.]com
server694590423[.]tech
session-coinbase[.]com
startrecovery-coinbase[.]com
signin-kraken[.]com
suite-trezor[.]io
supportportal-coinbase[.]com
tech-icloud[.]com
threat-coinbase[.]com
ticket-apple[.]com
ticket-coinbase[.]com
tickets-apple[.]com
tokens-coinbase[.]com
unblock-coinbase[.]com
unlink-coinbase[.]com
your-coinbase[.]com
welcome-coinbase[.]com
www-coinbasewallet[.]com
www-help-coinbase[.]com
www-help-gemini[.]com
We hope this post helps you know about CryptoChameleon, the new phishing kit targeting Cryptocurrency services and users. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.