In the ever-evolving landscape of cybersecurity, a new threat has emerged that targets individuals and organizations with alarming precision: the CryptoChameleon phishing kit. This sophisticated tool mimics legitimate single sign-on (SSO) pages, deceiving users into surrendering sensitive information such as usernames, passwords, and even photo IDs.

Invario’s partners at LastPass have warned that CryptoChameleon has hijacked their branding for use in targeted phishing campaigns. Some other notable hijacks include the FCC and the cryptocurrency exchange Coinbase. Read the article below for an overview of CryptoChameleon and how you can protect your organization. Most importantly, remember that LastPass or other legitimate sites won’t send you unsolicited phone or text messages asking for your password. So, if you do get these messages, ignore them.

The Rise of CryptoChameleon

Originally discovered by Lookout, CryptoChameleon is a phishing kit, meaning it’s basically a phishing-as-a-service software for hackers. It enables threat actors to easily create fake SSO or login sites that imitate a legitimate site by using fraudulent branding (including graphics and logos). With CryptoChameleon the hacker can create near-perfect replicas of SSO pages. They then employ a mix of email, SMS, and voice phishing to lure victims into its trap. Often, bad actors personally reach out to victims using text and even voice calls to build a sense of trust, leading to a high success rate.

How It Works

The process begins with a captcha, which is a common security measure on legitimate sites. Not only does this lure the user into a false sense of security, but it also prevents automated analysis tools from detecting the phishing site. Once the victim completes the captcha, they are presented with a login page that closely resembles the legitimate site. After entering their credentials, victims are redirected to a “loading” page while the attacker uses the stolen information in real-time to bypass additional security measures like multi-factor authentication (MFA).

Protecting Against CryptoChameleon

Organizations and individuals need a multilayered approach when it comes to defending against advanced phishing attacks like CryptoChameleon. Key actions include:

  • Protect your organization with a multi-layered security approach that includes robust authentication processes, endpoint protection, user training, and managed detection and response capabilities.
  • Be on the lookout for unsolicited phone calls or text messages related to attempts to change your password or account information. Never interact with unsolicited messages or links.
  • If you enter credentials on a sign-on page and do not get the expected result, e.g., the page hangs and nothing happens, close the window immediately and contact your IT provider.

Reach out our team at help@invario.net, if you need assistance with any of the above items.

Conclusion

The rise of the CryptoChameleon advanced phishing kit is a stark reminder of the continuous innovation by cybercriminals. The CryptoChameleon kit is not just another phishing tool, it represents a significant shift in the cyber kill chain. With more corporate data residing in the cloud and users increasingly interacting with that data via mobile devices, the kit’s ability to steal credentials that provide immediate access to critical corporate data is particularly concerning. It’s imperative that individuals and organizations remain vigilant when it comes to combatting these sophisticated tools. If you have questions about cybersecurity or advanced phishing, and how to protect your organization, send me an email and I’m happy to discuss.

Feedback

If you have questions about this article, or if there is an IT topic you would like to know more about please email me your suggestions.

Referral$

If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.

That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.

Dave Wilson