Hackers are creating fake login pages for Coinbase, Binance, and other crypto platforms to trick users into handing over sensitive information like their usernames, passwords, password reset URLs, and photo IDs.
In a report on Feb. 29, threat intelligence firm Lookout said the threat actors are also using this tactic to target employees at Coinbase, Binance, and the Federal Communications Commission (FCC).
At the heart of this campaign is an advanced phishing kit, dubbed CryptoChameleon, that allows cybercriminals to create fake single sign-on pages for various platforms, including AOL, Gmail, iCloud, Okta, Outlook, Twitter, and Yahoo.
Scammers are replicating sign-in pages to near perfection, complete with fake “loading” pages, emails, SMS messages, and “professional” calls, Lookout said. While the attackers are impersonating many companies, “Coinbase is the most-frequently targeted service,” according to the report.
The scams “seem to have successfully phished more than 100 victims, based on the logs observed,” the report said. “Many of the sites are still active and continue to phish for more credentials each hour,” it added.
This phishing campaign appears to mainly target mobile users. And, so far, most of the victims are in the United States.
Sophisticated Phishing Attack
Lookout discovered the phishing kit after its systems detected a suspicious domain — fcc-okta[.]com — that closely resembles the FCC’s Okta sign-in page.
This campaign marks a significant shift from traditional phishing attempts, revealing a refined adaptation to modern security defenses. Lookout found that the phishing kit includes an administrative console that permits attackers to monitor and modify phishing pages on the fly.
This console also provides attackers with extensive customization capabilities, such as tailoring specific MFA (multi-factor authentication) requests or falsely notifying victims that their accounts are under review.
The campaign leverages a variety of domains and subdomains with multiple command and control servers, Lookout said.
The attackers even engaged directly with victims through spoofed phone calls and SMS messages, with threat actors masquerading as customer support. This, combined with high-quality phishing URLs and login pages, has contributed to the campaign’s success.
“When we asked victims to describe the person on the other end of the line they characterize them as sounding “American”, “well spoken”, and “had professional call-center communication skills,” the report said.
How to Avoid Falling for Phishing Scams
Scammers are increasingly launching sophisticated phishing attacks that are harder for security systems to detect. Lookout highlighted how the threat actors behind this phishing kit sought to evade detection by shifting between different IP addresses and useing “hCaptcha” to thwart automated analysis.
It’s more important than ever to know how to spot phishing attacks and take steps to protect your device. Among other things, we recommend:
- Enabling MFA (multi-factor authentication) on all your accounts.
- Checking your financial statements for suspicious activity. Report malicious activity to the platform or police.
- Be wary of fraudulent cryptocurrency apps.
- Don’t click on links in SMS messages, even when they don’t seem suspicious.
- Setting antivirus tools to automatically update.
- Changing your passwords often and using unique passwords for each account.
- Regularly backing up data to prevent loss from breaches.
Read our guide to avoiding online scams for more actionable tips.
For more news, follow us on X (Twitter), Threads, and Mastodon!
