0ktapus, An Okta Themed Phishing Campaign
Industries: Business Service, Education, Finance, Legal Services, Logistics, Power Supply, Retail, Technology, Telecommunication | Level: Strategic | Source: Group-IB
Researchers from Group-IB have discovered a large-scale phishing campaign impersonating access management and identity service Okta. The phishing campaign has been quite successful for threat actors affecting 130 organizations, yielding 9,931 compromised accounts. Included in the compromised data set was "3,129 records with emails, and 5,441 with MFA codes." The phishing infrastructure used by the threat actor(s) is large, as Group-IB discovered 169 unique domains used in the 0ktapus campaign. Their infrastructure grew from distributing phishing kits and the code all referring to the same Telegram bot. Campaigns have led to attacks against Twilio and Cloudflare. Most companies targeted were in the US, with industries in information technology and cloud services most impacted. The campaign is estimated to have started as early as March 2022. "The primary goal of the threat actors was to obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization." There is potential the threat actors initially attacked mobile operators and telecommunication companies to obtain mobile phone numbers. However, it is still unknown how the threat actors obtained the targeted victim's phone numbers.