- These are the Memorial Day headphones deals I recommend most to family and friends
- 4 gadgets I'm bringing to the beach this summer - and why they make such a big difference
- I'm a laptop expert and these are the Memorial Day laptop deals I'd scoop up ASAP
- These are my 13 favorite Memorial Day lawn and outdoor deals right now
- The most comfortable noise-canceling earbuds I've tested are on sale (and they're only $150)
0ktapus Phishing Campaign Targets Okta Identity Credentials
Security researchers have revealed a new phishing campaign targeting Okta identity credentials and connected two-factor authentication (2FA) codes.
The analysis comes from the Group-IB, who said it was particularly interesting because despite using low-skill methods, the campaign was able to compromise a large number of well-known companies.
In fact, attackers sent employees of the targeted companies text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, followed by a second one asking for a 2FA code. Upon trying to log in, their victim’s credentials would then be sent to the malicious actors behind the attack.
“Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance,” Group-IB wrote in an advisory published today, August 25, 2022.
Overall, the company confirmed it detected 169 unique domains involved in this ‘0ktapus’ campaign. The team did so by analyzing the resources used to create those sites, some of which (images, fonts or scripts) were unique enough to be used to find other sites using the same phishing kit.
“In this case, we found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit,” Group-IB explained.
In terms of targeted organizations, the vast majority of 0ktapus victims were located in the U.S., followed by the U.K. and Canada. The bulk of them were providers of IT, software development, and cloud services, but there were also some financial companies on the list.
To avoid becoming a 0ktapus victim, Group-IB said end-users (especially those with admin rights) should always double-check the URL of the site where they are entering credentials. The security researchers also advised companies to implement a FIDO2-compliant security key for multi-factor authentication (MFA).
The advisory compiled by Group-IB is based on a request from one of their clients as well as from public reports on 0ktapus by Twilio and Cloudflare.
Group-IB has also recently uncovered a huge investment fraud campaign targeting European victims via online and phone channels.
