FCC and crypto firms are being hit in advanced phishing attacks using fake Okta logins

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Security researchers have observed a highly sophisticated phishing campaign targeting employees of the US Federal Communications Commission (FCC), as well as popular crypto exchanges Binance, Coinbase, Kraken, and Gemini.

The as-yet-unidentified threat actor is going after people’s login credentials for Okta, researchers from Lookout found.

First, they would create landing pages for logging into places like the FCC portal, or Binance. These landing pages would be seemingly identical to the authentic ones, and are hosted mostly on RetnNet (a Russian web hosting service which might be more tolerant to cybercrime than its Western peers).

More than 100 victims

To build out these pages, they would use a previously unknown phishing kit named CryptoChameleon. Besides the creation of landing pages, this kit also helps with calls, emails, and SMS messages that serve as the initial point of communication with the target. For example, the attackers would use it to “notify” the victim that Binance “spotted” a suspicious login, and to share a link to “secure” the account. The link would then lead the victim to the phishing site, where all of the necessary login credentials are harvested.

The attackers can also use the kit to relay multi-factor authentication (MFA) codes, and other one-time passcodes, to complete the login process. Once it’s done, the victim would either be redirected to the authentic login page, or to a secondary fraudulent page claiming the account is “under review”. This is done to buy more time for the attackers. 

"The sites seem to have successfully phished more than 100 victims, based on the logs observed," the researchers said. "Many of the sites are still active and continue to phish for more credentials each hour."

While the researchers couldn’t confirm the identities of the attackers, they said that the campaign greatly resembles the 2022 Oktapus campaign, which was conducted by Scattered Spider. The group is not known to be state-sponsored.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
A Lego Pikachu tail next to a Pebble OS watch and a screenshot of Assassin's Creed Shadow
ICYMI: the week's 7 biggest tech stories from LG's excellent new OLED TV to our Assassin's Creed Shadow review
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks