新型的网络钓鱼工具针对加密货币用户

A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster designed to primarily target mobile devices.

一种新型的网络钓鱼工具被发现冒充知名加密货币服务的登录页面，作为一个主要针对移动设备的攻击集群的一部分。

"This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States," Lookout said in a report.

"这个工具使攻击者能够构建单一登录（SSO）页面的复制品，然后利用电子邮件、短信和语音网络钓鱼的组合诱使目标共享用户名、密码、密码重置URL甚至成百上千名受害者的照片ID，主要来自美国。" Lookout在一份报告中说。

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.

该网络钓鱼工具的目标包括美国联邦通信委员会（FCC）的员工，币安（Binance），Coinbase以及币安，Coinbase，Gemini，Kraken，ShakePay，Caleb＆Brown和Trezor等各种平台的加密货币用户。到目前为止，已成功钓鱼超过100名受害者。

The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.

这些网络钓鱼页面设计得当，假登录屏幕只有在受害者完成使用hCaptcha的CAPTCHA测试后才显示，从而防止自动分析工具标记这些网站。

In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company's customer support team under the pretext of securing their account after a purported hack.

在某些情况下，这些页面通过未经请求的电话和短信分发，伪装成公司的客户支持团队，声称在据称发生的黑客攻击后，保护其账户。

Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to "wait" while it claims to verify the provided information.

一旦用户输入其凭据，要求他们提供两因素认证（2FA）代码，或要求他们“等待”，同时声称验证提供的信息。

"The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access," Lookout said.

"攻击者可能试图实时使用这些凭据登录，然后根据攻击者正在尝试访问的MFA服务要求的额外信息，将受害者重定向到适当的页面，" Lookout表示。

The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real-time by providing the last two digits of the victim's actual phone number and selecting whether the victim should be asked for a six or seven digit token.

网络钓鱼工具还尝试通过允许操作人员实时自定义网络钓鱼页面，提供受害者实际电话号码的最后两位数字，并选择是否应要求受害者提供六位或七位数字令牌来制造可信度的错觉。

The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker's choosing, including the legitimate Okta login page or a page that displays customized messages.

用户输入的一次性密码（OTP）然后被威胁行为者捕获，后者使用它使用提供的令牌登录到所需的在线服务。在下一步中，受害者可以被引导到攻击者选择的任何页面，包括合法的Okta登录页面或显示自定义消息的页面。

Lookout said the campaign shares similarities with that of Scattered Spider, specifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.

Lookout表示，该活动与“Scattered Spider”有相似之处，特别是在模仿Okta和使用先前已被识别为与该组织有关的域的情况下。

"Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit," the company said. "This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success."

"尽管URL和伪造页面看起来与Scattered Spider可能创建的类似，但网络钓鱼工具内部具有不同的功能和C2基础设施，" 该公司表示。"这种模仿在威胁行为者群体中很常见，特别是在一系列策略和程序取得了如此多的公开成功时。"

It's currently also not clear if this is the work of a single threat actor or a common tool being used by different groups.

目前还不清楚这是否是单一威胁行为者的作品，还是由不同组织使用的常见工具。

"The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data," Lookout noted.

"高质量的网络钓鱼URL、完全与合法网站外观和感觉相匹配的登录页面、紧迫感、以及通过短信和语音电话始终保持联系，这些都是让威胁行为者成功窃取高质量数据的原因，" Lookout指出。

The development comes as Fortra revealed that financial institutions in Canada have come under the target of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.

这一发展发生在Fortra披露，加拿大金融机构已成为一个名为LabHost的新网络钓鱼服务（PhaaS）组织的目标，该组织在2023年的受欢迎程度上超过了其竞争对手Frappo。

LabHost's phishing attacks are pulled off by means of a real-time campaign management tool named LabRat that makes it possible to stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.

LabHost的网络钓鱼攻击是通过一种名为LabRat的实时活动管理工具实施的，该工具使中间对手（AiTM）攻击和捕获凭据和2FA代码成为可能。

Also developed by the threat actor is an SMS spamming tool dubbed LabSend that provides an automated method for sending links to LabHost phishing pages, thereby allowing its customers to mount smishing campaigns at scale.

威胁行为者还开发了一种名为LabSend的短信垃圾邮件工具，提供了一种发送链接到LabHost网络钓鱼页面的自动方法，从而使其客户能够大规模地发起短信网络钓鱼攻击。

"LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures," the company said.

"LabHost服务允许威胁行为者以各种金融机构为目标，提供从现成模板、实时活动管理工具到短信诱饵等功能，" 该公司表示。

原文始发于微信公众号（知机安全）：新型的网络钓鱼工具针对加密货币用户