Scattered Spider and CryptoChameleon-linked threat operation PoisonSeed has facilitated clandestine credential exfiltration with its phishing kit, which has been targeting leading customer relationship management and email service providers since April, GBHackers News reports.
Multiple legitimate interfaces have been impersonated by PoisonSeed's phishing kit to facilitate email verification and the subsequent displaying of login forms that enable the acquisition of two-factor authentication codes, API keys, and other authentication details, as well as automated email list extraction, findings from Nviso showed. Aside from using Axios for API keys to various endpoints and featuring HTTP status-based dynamic redirection support, PoisonSeed's phishing kit also involves NICENIC-registered domains and Cloudflare- and Bunny.net-using name servers for further concealment. Organizations have been urged to implement FIDO2 keys and other phishing-resistant multi-factor authentication techniques, as well as bolster anomaly detection mechanisms, to better mitigate the threat posed by PoisonSeed's phishing kit.
Multiple legitimate interfaces have been impersonated by PoisonSeed's phishing kit to facilitate email verification and the subsequent displaying of login forms that enable the acquisition of two-factor authentication codes, API keys, and other authentication details, as well as automated email list extraction, findings from Nviso showed. Aside from using Axios for API keys to various endpoints and featuring HTTP status-based dynamic redirection support, PoisonSeed's phishing kit also involves NICENIC-registered domains and Cloudflare- and Bunny.net-using name servers for further concealment. Organizations have been urged to implement FIDO2 keys and other phishing-resistant multi-factor authentication techniques, as well as bolster anomaly detection mechanisms, to better mitigate the threat posed by PoisonSeed's phishing kit.




