Attack: CryptoChameleon Phishing Kit

Attack: CryptoChameleon Phishing Kit

Phishing Cryptocurrency Users

One of the latest innovations in the arsenal of cyber threats is a phishing kit known as "CryptoChameleon." This new tool represents a significant shift in phishing tactics, moving beyond traditional email scams to incorporate SMS and voice phishing (vishing).

The phishing sites employ a tactic where a counterfeit login page appears only once the victim has successfully passed a CAPTCHA challenge, specifically through hCaptcha. This method effectively shields fraudulent sites from being detected by automated security analysis tools.

In certain instances, these fraudulent pages are propagated through unrequested text messages and phone calls, with attackers masquerading as a company's customer support unit. They deceitfully claim the need to secure the victim's account following an alleged security breach.

After the user submits their login details, they are prompted either to input a two-factor authentication (2FA) code or to "wait" as the system ostensibly validates their information.

The one-time password (OTP) entered is then intercepted by the cybercriminal, who proceeds to access the targeted online account using the stolen credentials. Following this, the victim may be redirected to a webpage chosen by the attacker, which could be the genuine Okta login page or a custom message page designed to further the deception.

CryptoChameleon carbon-copied the login pages for the following:

  • Binance

  • Coinbase

  • Gemini

  • Kraken

  • ShakePay

  • Caleb & Brown

  • Trezor

Related Links: