Targeted, time-intensive scams are leveraging sophisticated methods to deceive unwitting online users about the phishing sites they’re visiting.
Cybersecurity platform Lookout reported on one such scam on February 29, wherein attackers targeted Federal Communications Commission (FCC), Coinbase, and Binance employees, as well as users of several cryptocurrency platforms. The phishing kit used enabled the attackers to “build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” according to the report.
Breakdown. Lookout VP of Threat Intelligence David Richardson explained the phishing tool is a complex, multistep process that requires human interaction on the attacker side to work. Because of how time intensive the attack is, hacks are highly targeted. For the FCC, attackers used a duplicate of the verification system Okta to infiltrate systems.
“What really caught our attention from being just one of many threat actors that we were tracking was when they decided to go after the FCC by putting up an impersonation of their Okta page,” Richardson said.
Attackers use a three-pronged approach, using phone, text, and a spoof website to deceive their victim. Targets are called and asked to log into their account through the spoof Okta site; they follow instructions over the phone and enter information, including a CAPTCHA.
“The first thing they do is ask for a CAPTCHA, which is kind of interesting for a phishing site to do because usually you want to get people through your phishing site as quickly as possible,” Richardson said, adding that this move did prevent “automated analysis.”
Once the login information is entered—Richardson showed IT Brew how it works in a series of slides—the site goes into a lengthy “please wait” page before eventually returning the user to the landing page. The attacker on the other end of the site manually obtains the information, uses the credentials, and then sees if there are additional multi-factor authentication (MFA) qualifications needed, which the spoof site will then ask for.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Human element. No automation here, the attack relies on the human element. The directions on the landing page are incoherent and need someone on the phone to walk the user through the scam.
“If you just displayed this phishing page to somebody, 95% of people—even if they didn’t know anything about it being a phishing page—they just wouldn’t be able to successfully complete these instructions,” Richardson said. “There’s not enough information. There’s not enough context.”
As IT Brew reported last November, Okta has been the target of a number of attacks in the last year as threat actors look to exploit the verification site.
“Frequently, the identity providers…they’re all the authentication for that organization,” David Manning, offensive security director at Presidio, told IT Brew last fall. “So a compromise [at] Okta can give an attacker access to many organizations and many different parts of organizations, potentially.”
Looking forward. Organizations under threat from phishing attacks should follow the same precautions as they would any other threat, Alex Cox, director of threat intelligence, mitigation, escalation at password management company LastPass, told IT Brew in a recent interview. Cox added, talking specifically about ransomware, but describing an overall strategy, that his group looks at the whole threat surface.
“We’re big believers in threat-led security,” Cox said. “You’re not just kind of checking the security boxes; you’re examining what the threat is to your particular firm or industry and making sure you’re tooling in a way that makes sense to that industry.”
Richardson suggested that firms and organizations targeted by phishing attacks like the one Lookout discovered should follow basic precautions to protect users. Awareness of the threat surface and how attackers are targeting mobile devices to get around MFA is essential, especially when managing complex, sophisticated threats—and the same goes for tactics like red teaming.
“They need to be aware of [the threat surface],” Richardson said. “And I think for security organizations…they need to start to think about red team exercises related to mobile attacks.”