CryptoChameleon Attackers Target Apple, Okta Users With Tech Support Gambit

A phishing kit dubbed CryptoChameleon has been discovered targeting cryptocurrency platforms, including employees of Binance and Coinbase — as well as the Federal Communications Commission (FCC).

According to an analysis from Lookout, the victims primarily use Apple iOS and Google Android devices with single sign-on (SSO) solutions, including Okta, Outlook, and Google.

Worryingly, successful attacks have yielded sensitive data beyond just usernames and passwords — for example, password reset URLs and photo IDs — making the attacks more damaging.

"Cryptocurrency platforms, single sign-on services, government agencies, and other B2C-facing organizations should look at stronger forms of authentication, such as WebAuthn-based passkeys," says Jason Soroko, senior vice president of product at Sectigo.

Sophisticated CryptoChameleon's Phishing Tactics Are Convincing

The sophisticated cyberattackers behind CryptoChameleon are notably exhibiting advanced tactics, such as personal outreach. The social engineering includes personalized text messages and voice calls impersonating legitimate support personnel from reputable companies.

And they're also convincingly duplicating legitimate pages, making them harder to recognize, according to Lookout. Specifically, the use of phone numbers and websites that mimic real company support teams adds another layer of authenticity to the phishing attempts, further misleading the victims.

Meanwhile, the CryptoChameleon kit also utilizes hCaptcha to evade automated analysis tools.

In general, CryptoChameleon's MO resembles techniques used by the Scattered Spider financial cyberthreat group, in particular targeting Okta users through voice calls by purporting to be help desk personnel — but Lookout noted the attacks are carried out with enough variance to suggest a different threat actor.

In fact, the researchers suspect the phishing kit might be offered as an as-a-service offering on Dark Web forums.

"It is unknown whether this is a single threat actor, or a common tool being used by many different groups," according to Lookout's researchers. "However, there are many similarities in the backend C2 [command-and-control] servers and test data our team found across the various phishing sites."

Don't Be Duped by Fake Phone Calls From Tech Support

When it comes to social engineering from text messages and phone calls, organizations must educate their employees and set up a policy to verify the source of requests, Soroko says.

"We have seen deepfake audio phone calls that were very effective, which means that normal means of communication that were once fully trusted require a higher level of scrutiny," he notes. "You need to verify who is texting and calling, and moving forward, we need better ways to make that easier."

Patrick Tiquet, vice president of security and architecture at Keeper Security, agrees that organizations should prioritize user education, emphasizing the risks associated with unsolicited messages and the importance of additional verification to ensure the URL of the destination website matches the authentic website. 

"When a password manager is used, it automatically identifies when a site's URL doesn't match what's contained in the user's vault, which provides a critical extra layer of security," he explains.

Tiquet says multifactor authentication (MFA) can also provide a critical second layer of protection that protects against phishing attacks — but he warns that cybercriminals are working to evade MFA protections and are developing advanced tactics to gain access to high-value accounts and steal credentials.