- I ditched my daily driver Bose headphones for the XM6 - and I'm hesitant to go back
- This Lenovo ThinkPad is my top pick for remote work - and it's nearly 50% off now
- I invested in this 3-in-1 robot vacuum, and it's paying off for my home
- I've tested the Meta Ray-Bans for months, and these 5 features still amaze me
- My new favorite iPhone portable charger has a magnetic superpower - and it's cheap
0ktapus Phishing Campaign Targets Okta Identity Credentials
Security researchers have revealed a new phishing campaign targeting Okta identity credentials and connected two-factor authentication (2FA) codes.
The analysis comes from the Group-IB, who said it was particularly interesting because despite using low-skill methods, the campaign was able to compromise a large number of well-known companies.
In fact, attackers sent employees of the targeted companies text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, followed by a second one asking for a 2FA code. Upon trying to log in, their victim’s credentials would then be sent to the malicious actors behind the attack.
“Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance,” Group-IB wrote in an advisory published today, August 25, 2022.
Overall, the company confirmed it detected 169 unique domains involved in this ‘0ktapus’ campaign. The team did so by analyzing the resources used to create those sites, some of which (images, fonts or scripts) were unique enough to be used to find other sites using the same phishing kit.
“In this case, we found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit,” Group-IB explained.
In terms of targeted organizations, the vast majority of 0ktapus victims were located in the U.S., followed by the U.K. and Canada. The bulk of them were providers of IT, software development, and cloud services, but there were also some financial companies on the list.
To avoid becoming a 0ktapus victim, Group-IB said end-users (especially those with admin rights) should always double-check the URL of the site where they are entering credentials. The security researchers also advised companies to implement a FIDO2-compliant security key for multi-factor authentication (MFA).
The advisory compiled by Group-IB is based on a request from one of their clients as well as from public reports on 0ktapus by Twilio and Cloudflare.
Group-IB has also recently uncovered a huge investment fraud campaign targeting European victims via online and phone channels.
