Emerging Phishing Kit Exploits SMS and Voice Calls

A newly discovered phishing kit has been observed impersonating the login pages of prominent cryptocurrency services as part of an attack cluster aimed primarily at mobile devices.

Emerging Phishing Kit Exploits SMS and Voice Calls

“In a report, Lookout stated, ‘This kit enables attackers to construct carbon copies of single sign-on (SSO) pages, employing a combination of email, SMS, and voice phishing to deceive targets into divulging usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, predominantly in the United States.'”

The phishing kit targets individuals such as employees of the Federal Communications Commission (FCC), as well as users of cryptocurrency platforms including Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. To date, over 100 victims have been successfully phished.

The phishing pages are crafted in a manner where the fake login screen is revealed only after the victim successfully completes a CAPTCHA test using hCaptcha. This approach aims to thwart automated analysis tools from flagging the sites.

In certain instances, these pages are disseminated through unsolicited phone calls and text messages. The perpetrators impersonate a company’s customer support team, falsely claiming to assist in securing the account following an alleged hack.

Upon entering their credentials, users are prompted to either provide a two-factor authentication (2FA) code or are instructed to “wait” under the guise of verifying the provided information.

According to Lookout, “The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access.”

Additionally, the phishing kit endeavors to create an illusion of credibility by enabling the operator to customize the phishing page in real-time. This customization includes providing the last two digits of the victim’s actual phone number and selecting whether the victim should be asked for a six or seven-digit token.

After the user enters the one-time password (OTP), it is captured by the threat actor, who utilizes it to sign in to the desired online service using the provided token. Subsequently, the victim can be directed to any page of the attacker’s choosing, including the legitimate Okta login page or a page displaying customized messages.

Lookout mentioned that the campaign bears similarities to that of Scattered Spider, particularly in its impersonation of Okta and the utilization of domains previously identified as affiliated with the group.

“The URLs and spoofed pages resemble those created by Scattered Spider, but the phishing kit possesses significantly different capabilities and C2 infrastructure,” the company stated. “This copycat behavior is typical among threat actor groups, particularly when tactics and procedures have garnered public success.”

“It remains unclear whether this is the work of a single threat actor or a shared tool used by multiple groups.”

“The combination of high-quality phishing URLs, login pages mirroring legitimate sites, a sense of urgency, and consistent communication via SMS and voice calls contributes to the threat actors’ success in stealing valuable data,” Lookout emphasized.

Fortra revealed that financial institutions in Canada are now being targeted by a new phishing-as-service (PhaaS) group called LabHost, which has surpassed its rival Frappo in popularity in 2023. LabHost conducts phishing attacks using a real-time campaign management tool named LabRat, allowing for adversary-in-the-middle (AiTM) attacks to capture credentials and 2FA codes.

The threat actor also created LabSend, an SMS spamming tool facilitating automated link sending to LabHost phishing pages, enabling customers to conduct large-scale smishing campaigns.

“LabHost services enable threat actors to target a range of financial institutions, offering features like ready-to-use templates, real-time campaign management tools, and SMS lures,” the company explained.

Indicators of Compromise

Command and Control servers

official-server[.]com
server694590423[.]tech
island-placid-bromine.glitch[.]me
circular-noon-farmhouse.glitch[.]me
talented-friendly-price.glitch[.]me
dflfmgsdokasdcpl[.]com
original-backend[.]com

Phishing websites

07159889-coinbase[.]com
10195-coinbase[.]com
11246-coinbase[.]com
11247-coinbase[.]com
11248-coinbase[.]com
11258-coinbase[.]com
11259-coinbase[.]com
113912-coinbase[.]com
11472-coinbase[.]com
11923-coinbase[.]com
11957-coinbase[.]com
128147-coinbase[.]com
12958-coinbase[.]com
12984-okta[.]com
12985-coinbase[.]com
13130-coinbase[.]com
13247-coinbase[.]com
13247-icloud[.]com
13267-coinbase[.]com
146271510-coinbase[.]com
146282-coinbase[.]com
146284-coinbase[.]com
147260-coinbase[.]com
14765-coinbase[.]com
14817582-coinbase[.]com
14871904-coinbase[.]com
14891902-coinbase[.]com
1492864-coinbase[.]com
158312-coinbase[.]com
158372-coinbase[.]com
158702-coinbase[.]com
16171675-coinbase[.]com
16171832-coinbase[.]com
16178234-coinbase[.]com
16178237-coinbase[.]com
16178434-coinbase[.]com
162178-coinbase[.]com
162478-coinbase[.]com
162782-coinbase[.]com
162812-coinbase[.]com
162814-coinbase[.]com
16442580-coinbase[.]com
16450107-coinbase[.]com
16450207-coinbase[.]com
16458207-coinbase[.]com
16478202-coinbase[.]com
164872942-coinbase[.]com
16590-coinbase[.]com
16594373-coinbase[.]com
16624831-coinbase[.]com
16642124-coinbase[.]com
16642172-coinbase[.]com
16642580-coinbase[.]com
16642721-coinbase[.]com
16642724-coinbase[.]com
16642871-coinbase[.]com
16642872-coinbase[.]com
16712942-coinbase[.]com
16718672-coinbase[.]com
16728342-coinbase[.]com
16728348-coinbase[.]com
16728442-coinbase[.]com
16728472-coinbase[.]com
167285-coinbase[.]com
16729042-coinbase[.]com
16748272-coinbase[.]com
16782942-coinbase[.]com
16827420-coinbase[.]com
16827423-coinbase[.]com
16847145-coinbase[.]com
16893924-coinbase[.]com
17182-coinbase[.]com
17255030-coinbase[.]com
17259-kraken[.]com
172486-coinbase[.]com
17284652-coinbase[.]com
17286-coinbase[.]com
17334522-coinbase[.]com
17334522-kraken[.]com
17384522-coinbase[.]com
173912-coinbase[.]com
17494976-coinbase[.]com
17512854-coinbase[.]com
17512857-coinbase[.]com
1751954-coinbase[.]com
17525030-coinbase[.]com
17529580-coinbase[.]com
17614-coinbase[.]com
17618412-coinbase[.]com
17619-coinbase[.]com
176284-coinbase[.]com
17823920-coinbase[.]com
178253-coinbase[.]com
178294-coinbase[.]com
17912-coinbase[.]com
17914-coinbase[.]com
17917-coinbase[.]com
17954-coinbase[.]com
17958-coinbase[.]com
182043-coinbase[.]com
18275-gemini[.]com
18276-coinbase[.]com
18290185-coinbase[.]com
182967-coinbase[.]com
18560-coinbase[.]com
18571-coinbase[.]com
185912-coinbase[.]com
185914-coinbase[.]com
18592176-coinbase[.]com
18594162-coinbase[.]com
18594962-coinbase[.]com
18597162-coinbase[.]com
18719562-coinbase[.]com
1875290-coinbase[.]com
1882730-coinbase[.]com
18902-coinbase[.]com
18903-coinbase[.]com
189126-coinbase[.]com
18952-coinbase[.]com
192854-coinbase[.]com
192856-coinbase[.]com
19287-binance[.]com
19572-coinbase[.]com
195812-coinbase[.]com
195826-coinbase[.]com
1958262-coinbase[.]com
195827-binance[.]com
1958297-coinbase[.]com
19582970-coinbase[.]com
19582971-coinbase[.]com
19583-coinbase[.]com
19592653-coinbase[.]com
197304-coinbase[.]com
19730492-coinbase[.]com
19764162-coinbase[.]com
19803-coinbase[.]com
201784289-coinbase[.]com
210823644-coinbase[.]com
21158-coinbase[.]com
21509-coinbase[.]com
25985-coinbase[.]com
27699-coinbase[.]com
28367-coinbase[.]com
28676-coinbase[.]com
29185-coinbase[.]com
29195-coinbase[.]com
2a-coinbase[.]com
2b-coinbase[.]com