Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft.
In a new report released today by Okta, researchers explain that the phishing kits are sold as part of an "as a service" model and are actively being used by multiple hacking groups to target identity providers, including Google, Microsoft, and Okta, and cryptocurrency platforms.
Unlike typical static phishing pages, these adversary-in-the-middle platforms are designed for live interaction via voice calls, allowing attackers to change content and display dialogs in real time as a call progresses.
The core features of these phishing kits are real-time manipulation of targets through scripts that give the caller direct control over the victim's authentication process.
As the victim enters credentials into the phishing page, those credentials are forwarded to the attacker, who then attempts to log in to the service while still on the call.
A C2 panel allowing real-time control of authentication flows
Source: Okta
When the service responds with an MFA challenge, such as a push notification or OTP, the attacker can select a new dialog that instantly updates the phishing page to match what the victim sees when attempting to log in. This synchronization makes fraudulent MFA requests appear legitimate.
Okta says these attacks are highly planned, with threat actors performing reconnaissance on a targeted employee, including which applications they use and the phone numbers associated with their company's IT support.
They then create customized phishing pages and call the victim using spoofed corporate or helpdesk numbers. When the victim enters their username and password on the phishing site, those credentials are relayed to the attacker's backend, commonly to Telegram channels operated by the threat actors.
... continue reading