CryptoChameleon Attackers Target Apple, Okta Users With Tech Support Gambit

  /     /     /  
Publicated : 23/11/2024   Category : security


CryptoChameleon Attackers Target Apple, Okta Users With Tech Support Gambit


A sophisticated threat actor using an MO similar to Scattered Spider is camouflaging itself with convincing impersonation techniques in targeted attacks.



A phishing kit dubbed CryptoChameleon has been discovered targeting cryptocurrency platforms, including employees of Binance and Coinbase — as well as the Federal Communications Commission (FCC).
According to an analysis from Lookout, the victims primarily use Apple iOS and Google Android devices with single sign-on (SSO) solutions, including Okta, Outlook, and Google.
Worryingly, successful attacks have yielded sensitive data beyond just usernames and passwords — for example, password reset URLs and photo IDs — making the attacks more damaging.
Cryptocurrency platforms, single sign-on services, government agencies, and other B2C-facing organizations should look at stronger forms of authentication, such as WebAuthn-based passkeys, says Jason Soroko, senior vice president of product at Sectigo.
The
sophisticated cyberattackers behind CryptoChameleon
are notably exhibiting advanced tactics, such as personal outreach. The social engineering includes personalized text messages and voice calls impersonating legitimate support personnel from reputable companies.
And theyre also convincingly duplicating legitimate pages, making them harder to recognize, according to Lookout. Specifically, the use of phone numbers and websites that mimic real company support teams adds another layer of authenticity to the phishing attempts, further misleading the victims.
Meanwhile, the CryptoChameleon kit also utilizes hCaptcha to evade automated analysis tools.
In general, CryptoChameleons MO resembles techniques used by the
Scattered Spider financial cyberthreat group
, in particular
targeting Okta users
through voice calls by purporting to be help desk personnel — but Lookout noted the attacks are carried out with enough variance to suggest a different threat actor.
In fact, the researchers suspect the phishing kit might be offered as an as-a-service offering on Dark Web forums.
It is unknown whether this is a single threat actor, or a common tool being used by many different groups, according to Lookouts researchers. However, there are many similarities in the backend C2 [command-and-control] servers and test data our team found across the various phishing sites.
When it comes to social engineering from text messages and phone calls, organizations must educate their employees and set up a policy to verify the source of requests, Soroko says.
We have seen deepfake audio phone calls that were very effective, which means that normal means of communication that were once fully trusted require a higher level of scrutiny, he notes. You need to verify who is texting and calling, and moving forward, we need better ways to make that easier.
Patrick Tiquet, vice president of security and architecture at Keeper Security, agrees that organizations should prioritize user education, emphasizing the risks associated with unsolicited messages and the importance of additional verification to ensure the URL of the destination website matches the authentic website. 
When a password manager is used, it automatically identifies when a sites URL doesnt match whats contained in the users vault, which provides a critical extra layer of security, he explains.
Tiquet says multifactor authentication (MFA) can also provide a critical second layer of protection that protects against phishing attacks — but he warns that cybercriminals are working to
evade MFA protections
and are developing advanced tactics to gain access to high-value accounts and steal credentials.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CryptoChameleon Attackers Target Apple, Okta Users With Tech Support Gambit