Researchers discovered a sophisticated phishing scheme of fraudulent URLs, login pages, a sense of urgency and legitimacy, and persistent communication through mobile devices. The
phishing kit revealed the creation of replicas of email/single sign-on (SSO) services and various social engineering tactics—such as phishing, vishing, and SMiShing—to impersonate an organization’s customer support, target their employees or users who are primarily in the United States, and deceive them into divulging login credentials, password reset URLs, and photo identifications.

For example, threat actors registered a domain with one character different than the legitimate Federal Communications Commission (FCC) Okta SSO page to create a phishing site. To develop a sense of legitimacy and evade detection of their phishing campaign, they convinced the target to complete a captcha using hCaptcha . Once completed, the replica of the legitimate FCC Okta SSO page loaded to prompt the target to enter their credentials. If entered, the target was sent to a purported loading page to wait while their information was verified. In the background, threat actors monitored the phishing page through an administrative console in real time to steal and use the login credentials. Then, they redirected the target to customized pages depending on the target’s multi-factor authentication (MFA) service, such as an MFA token from an authenticator app or an SMS- based token. Once entered, the threat actors captured the information and attempted to log into the FCC. At the same, the target was directed to any page or a custom page with different scenarios, such as the account being under review and advising to try to log in later at a specified date or time.

Although the phishing kit targets the FCC and impersonates their legitimate SSO page by default, it became more apparent that threat actors can potentially impersonate other organizations and brands, as evident with other discovered impersonation pages of cryptocurrency platforms—such as Binance, Coinbase, and more—and email/SSO services —including AOL, Gmail, iCloud, Okta, Outlook, Twitter, and Yahoo. This scheme seems to have similarities to Scattered Spider, including the impersonation of Okta, domain registrations of organizationname- okta.com, and homoglyph techniques, which leverage fraudulent domain names that appear legitimate due to similar-looking alphabets or characters. However, this attribution is unlikely since there are differences in the phishing kit’s capabilities and command and control (C2) infrastructure.

The NJCCIC recommends that users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, exercise caution with communications from known senders, and only submit account credentials on official websites. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, from trusted sources before taking action.

Compromised accounts should be logged out of all devices, and any access tokens should be revoked. The associated password should be reset and MFA enabled, choosing a more secure method (authentication app, biometric, or hardware token) where available. If you suspect your PII has been compromised, please review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts. Additionally, we advise reporting suspicious or fraudulent communications to the respective entity. Impersonation scams and other malicious cyber activity can be reported to the NJCCIC.