0ktapus Phishing Campaign Targets Okta Identity Credentials

  • Security researchers have revealed a new phishing campaign targeting Okta identity credentials and connected two-factor authentication (2FA) codes.

    The analysis comes from the Group-IB, who said it was particularly interesting because despite using low-skill methods, the campaign was able to compromise a large number of well-known companies.

    In fact, attackers sent employees of the targeted companies text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, followed by a second one asking for a 2FA code. Upon trying to log in, their victim’s credentials would then be sent to the malicious actors behind the attack.

    “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance,” Group-IB wrote in an advisory published today, August 25, 2022.

    Overall, the company confirmed it detected 169 unique domains involved in this ‘0ktapus’ campaign. The team did so by analyzing the resources used to create those sites, some of which (images, fonts or scripts) were unique enough to be used to find other sites using the same phishing kit.

    “In this case, we found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit,” Group-IB explained.

    In terms of targeted organizations, the vast majority of 0ktapus victims were located in the U.S., followed by the U.K. and Canada. The bulk of them were providers of IT, software development, and cloud services, but there were also some financial companies on the list.

    To avoid becoming a 0ktapus victim, Group-IB said end-users (especially those with admin rights) should always double-check the URL of the site where they are entering credentials. The security researchers also advised companies to implement a FIDO2-compliant security key for multi-factor authentication (MFA).

    The advisory compiled by Group-IB is based on a request from one of their clients as well as from public reports on 0ktapus by Twilio and Cloudflare.

    Group-IB has also recently uncovered a huge investment fraud campaign targeting European victims via online and phone channels.