New Phishing Kit Uses SMS and Voice Calls to Target Cryptocurrency Users

Phishing Kit

A new phishing kit that mimics the login pages of well-known cryptocurrency services has been spotted as part of an attack cluster designed to primarily target mobile devices.

“This kit allows attackers to make copies of single sign-on (SSO) pages and then use a combination of email, SMS and voice phishing to trick the target into entering usernames, passwords, URLs for set passwords and even share photo IDs. hundreds of victims, especially in the United States,” Lookout said said in a report.

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users from various platforms such as Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. To date, more than 100 victims have been successfully phished.

The phishing pages are designed so that the fake login screen is only displayed after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.

In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company’s customer service team under the pretext of securing their account after a suspected hack.


Once the user enters their login credentials, they will be asked to provide a two-factor authentication (2FA) code, or asked to “wait” while they claim to verify the information provided.

“The attacker will likely attempt to log in in real time using these credentials and then redirect the victim to the appropriate page depending on the additional information requested by the MFA service the attacker is trying to access,” Lookout said.

The phishing kit also attempts to create an illusion of credibility by allowing the operator to customize the phishing page in real time by entering the last two digits of the victim’s actual phone number and selecting whether to ask the victim to a six or seven digit telephone number must be requested. sign.

The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to log in to the desired online service using the provided token. In the next step, the victim can be taken to any page of the attacker’s choosing, including the legitimate Okta login page or a page that displays customized messages.

Lookout said the campaign shares similarities with Scattered Spider, particularly in its impersonation of Okta and its use of domains previously identified as affiliated with the group.

Phishing kit

“While the URLs and spoofed pages may look similar to what Scattered Spider could create, there are significantly different capabilities and C2 infrastructure within the phishing kit,” the company said. “This type of copycatting is common among threat actor groups, especially when a set of tactics and procedures have had so much public success.”

It is also currently unclear whether this is the work of a single threat actor or a common tool used by several groups.

“The combination of high-quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency and consistent connection via SMS and voice calls is what has given threat actors so much success in stealing high-quality data ‘, Uitkijk commented.


The development comes as Fortra revealed that financial institutions in Canada have become targets of a new phishing-as-service (PhaaS) group called LabHost, which will overtake its rival Frappo in popularity by 2023.

LabHost’s phishing attacks are carried out using a real-time campaign management tool called LabRat, which allows for an adversary-in-the-middle (AiTM) attack and capture login credentials and 2FA codes.

Also developed by the threat actor is an SMS spamming tool called LabSend, which provides an automated method of sending links to LabHost phishing pages, allowing customers to set up smishing campaigns on a large scale.

“LabHost services enable threat actors to target a variety of financial institutions with features ranging from pre-built templates, real-time campaign management tools, and SMS decoys,” the company says. said.

#Phishing #Kit #SMS #Voice #Calls #Target #Cryptocurrency #Users

Notify of
Inline Feedbacks
View all comments
Previous Post
Sudo for Windows 11

Microsoft introduces Linux-like ‘sudo’ command in Windows 11

Next Post
BIFROSE Linux Variant

New BIFROSE Linux malware variant that uses deceptive VMware domain for evasion

Related Posts