Phishers target FCC, crypto holders via fake Okta SSO pages

A new phishing campaign is using fake Okta single sign-on (SSO) pages for the Federal Communications Commission (FCC) and for various cryptocurrency platforms to target users and employees, Lookout researchers have discovered.

The phishing campaign

By pretending to be customer support and combining email, text messages and phone calls, attackers are social engineering victims into clicking the provided link.

The victims are then prompted to resolve a captcha using hCaptcha – a tactic that prevents the phishing site from being identified and adds to its credibility – and are presented with a spoofed Okta SSO page.

FCC/Okta loading page. (Source: Lookout)

“Upon providing their credentials, the victim can be sent to wait, sign in, or ask for the MFA token,” Lookout researchers noted.

“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access, for example, they can be redirected to a page that asks for their MFA token from their authenticator app or a page requesting an SMS-based token.”

The attackers can also customize the phishing page in real time by providing the last two digits of the victim’s phone number and asking for a 6- or 7-digit token.

After having logged in with the provided one-time password (OTP) token, the victim gets redirected either to the legitimate Okta sign in page or a customized page informing the victim their account is under review.

About the phishing kit

The phishing kit making these attacks possible was discovered by Lookout researchers when they noticed the registration of a suspicious new domain – fcc-okta[.]com – which highly resembles the legitimate FCC Okta SSO page.

The phishing kit also has the ability to impersonate many different brands and companies.

“Based on the phishing site characteristics, Lookout researchers were able to identify other websites using this phishing kit. Most of the websites use a subdomain of official-server[.]com as their C2. We also found Okta impersonation pages targeting employees of Binance and Coinbase, but the majority of the sites seemed targeted at users of cryptocurrency and SSO services,” they added.

“The sites seem to have successfully phished more than 100 victims, based on the logs observed. Many of the sites are still active and continue to phish for more credentials each hour,” the researchers noted.

The threat actors initially deployed their phishing websites across multiple hosting networks, but favored Hostwinds and Hostinger in late 2023. In early 2024, they transitioned to RetnNet in Russia, which seems to be keeping them online for much longer.

The use of spoofed Okta SSO pages is a favorite tactic by the Scattered Spider hacking group, but the researchers say that the different capabilities and C2 infrastructure of the phishing kit indicate that the group is not responsible for this campaign.

Phishing kits giving attackers the ability to bypass MFA have been available for quite some time.

“It is unknown whether this is a single threat actor or a common tool being used by many different groups. However, there are many similarities in the backend C2 servers and test data our team found across the various phishing sites,” they concluded.