0ktapus Phishing Campaign Targets Okta Identity Credentials

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Security researchers have revealed a new phishing campaign targeting Okta identity credentials and connected two-factor authentication (2FA) codes. 

The analysis comes from the Group-IB, who said it was particularly interesting because despite using low-skill methods, the campaign was able to compromise a large number of well-known companies.

In fact, attackers sent employees of the targeted companies text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, followed by a second one asking for a 2FA code. Upon trying to log in, their victim’s credentials would then be sent to the malicious actors behind the attack.

“Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance,” Group-IB wrote in an advisory published today, August 25, 2022.

Overall, the company confirmed it detected 169 unique domains involved in this ’0ktapus’ campaign. The team did so by analyzing the resources used to create those sites, some of which (images, fonts or scripts) were unique enough to be used to find other sites using the same phishing kit.

“In this case, we found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit,” Group-IB explained.

In terms of targeted organizations, the vast majority of 0ktapus victims were located in the U.S., followed by the U.K. and Canada. The bulk of them were providers of IT, software development, and cloud services, but there were also some financial companies on the list.

To avoid becoming a 0ktapus victim, Group-IB said end-users (especially those with admin rights) should always double-check the URL of the site where they are entering credentials. The security researchers also advised companies to implement a FIDO2-compliant security key for multi-factor authentication (MFA).

The advisory compiled by Group-IB is based on a request from one of their clients as well as from public reports on 0ktapus by Twilio and Cloudflare.

Group-IB has also recently uncovered a huge investment fraud campaign targeting European victims via online and phone channels.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

US Supreme Court Gives Green Light to TikTok Ban
HPE Launches Investigation After Hacker Claims Data Breach
Middle Eastern Real Estate Fraud Grows with Online Listings
Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers
Lazarus Group Targets Developers in New Data Theft Campaign

Leave a Reply

Your email address will not be published. Required fields are marked *