More than 130 organizations, including Twilio, DoorDash and Signal, have been potentially compromised by hackers in a months-long phishing campaign dubbed “0ktapus” by security researchers. Login credentials belonging to nearly 10,000 people were stolen by attackers who impersonated the popular Okta single sign-on service, according to a report by cybersecurity equipment Group-IB.
The targets received text messages redirecting them to a phishing site. As the Group-IB report states, “From the victim’s perspective, the phishing site looks quite compelling because it’s very similar to the authentication page they’re used to seeing.” Victims were asked to provide their username, password and a two-factor authentication code. This information was then passed on to the attackers.
Interestingly, Group-IB’s analysis suggests the attackers were somewhat inexperienced. “Analysis of the phishing kit revealed that it was misconfigured and the way it was developed provided the ability to extract stolen credentials for further analysis,” said analyst Roberto Martinez. principal of threat intelligence at Group-IB. Tech Crunch.
But inexperienced or not, the scale of the attack is massive, with Group-IB detecting 169 unique domains targeted by the campaign. It is believed that the 0ktapus campaign started around March 2022 and so far around 9,931 login credentials have been stolen. The attackers expanded their network, targeting multiple sectors including finance, gaming and telecommunications. Domains cited by Group-IB as targets (but no confirmed breaches) include Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games.
Cash appears to be at least one of the motives for the attacks, with the researchers stating, “Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Additionally, some of the targeted companies provide access to crypto assets and markets, while others develop investment tools.
Group-IB warns that we likely won’t know the full scale of this attack for some time. In order to guard against similar attacks like this, Group-IB offers the usual advice: always be sure to check the URL of any site where you enter login information; treat URLs received from unknown sources with suspicion; and for added protection, you can use a “no-phishing” two-factor security key, such as a YubiKey.
This recent series of phishing attacks is one of the most impressive campaigns of this scale to date, according to Group-IB, with the report concluding that “Oktapus shows how vulnerable modern organizations are to certain engineered attacks social base and how bad the effects of such incidents can be for their partners and customers.
The magnitude of these threats is also not expected to diminish anytime soon. Zscaler research shows that phishing attacks increased by 29% globally in 2021 over the previous year and notes that SMS phishing in particular is growing faster than other types of scams, as people began to better recognize fraudulent emails. Social engineering scams and hacks have also increased during the COVID-19 pandemic, and earlier this year we even saw Apple and Meta sharing data with hackers pretending to be security enforcement. laws.