0ktapus Phishing Campaign Targets Okta Identity Credentials

Security

Security researchers have revealed a new phishing campaign targeting Okta identity credentials and connected two-factor authentication (2FA) codes. 

The analysis comes from the Group-IB, who said it was particularly interesting because despite using low-skill methods, the campaign was able to compromise a large number of well-known companies.

In fact, attackers sent employees of the targeted companies text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, followed by a second one asking for a 2FA code. Upon trying to log in, their victim’s credentials would then be sent to the malicious actors behind the attack.

“Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance,” Group-IB wrote in an advisory published today, August 25, 2022.

Overall, the company confirmed it detected 169 unique domains involved in this ’0ktapus’ campaign. The team did so by analyzing the resources used to create those sites, some of which (images, fonts or scripts) were unique enough to be used to find other sites using the same phishing kit.

“In this case, we found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit,” Group-IB explained.

In terms of targeted organizations, the vast majority of 0ktapus victims were located in the U.S., followed by the U.K. and Canada. The bulk of them were providers of IT, software development, and cloud services, but there were also some financial companies on the list.

To avoid becoming a 0ktapus victim, Group-IB said end-users (especially those with admin rights) should always double-check the URL of the site where they are entering credentials. The security researchers also advised companies to implement a FIDO2-compliant security key for multi-factor authentication (MFA).

The advisory compiled by Group-IB is based on a request from one of their clients as well as from public reports on 0ktapus by Twilio and Cloudflare.

Group-IB has also recently uncovered a huge investment fraud campaign targeting European victims via online and phone channels.

Products You May Like

Articles You May Like

PlushDaemon APT Targeted South Korean VPN Software
Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
Chained Vulnerabilities Exploited in Ivanti Cloud Service Appliances
Russian Scammers Target Crypto Influencers with Infostealers

Leave a Reply

Your email address will not be published. Required fields are marked *