More than 130 organizations, including Twilio, DoorDash, and Signal, may have been compromised by hackers as part of a months-long phishing campaign nicknamed “0ktapus” by security researchers. Login credentials of nearly 10,000 people were stolen by attackers impersonating the popular single sign-on service Okta. report of cybersecurity outfit Group-IB.
Targets received text messages that directed them to a phishing site. As the Group-IB report states, “From a victim’s point of view, the phishing site looks quite convincing because it’s very similar to the authentication page they’re used to seeing.” Victims were asked for their username, password and a two-factor authentication code. This information was then sent to the attackers.
Interestingly, Group-IB’s analysis suggests that the attackers were somewhat inexperienced. “The analysis of the phishing kit found that it was poorly configured and that the way it was developed provided the ability to extract stolen credentials for further analysis,” said Roberto Martinez, senior threat intelligence analyst at Group-IB, told TechCrunch.
But inexperienced or not, the scale of the attack is enormous, with Group-IB detecting 169 unique domains targeted by the campaign. It is believed that the 0ktapus campaign started around March 2022 and about 9,931 credentials have been stolen so far. The attackers have spread their network widely and target multiple sectors, including finance, gaming and telecom. Domains listed by Group-IB as targets (but no confirmed infringements) include Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games.
Cash appears to be at least one of the motives for the attacks, with researchers stating, “When we see financial companies on the compromised list, we get the idea that the attackers were also trying to steal money. In addition, some of the targeted companies access crypto assets and markets, while others develop investment tools.
Group-IB warns that we will likely know the full extent of this attack for some time to come. To protect against similar attacks like this, Group-IB offers the usual advice: always check the URL of a site where you enter login credentials; treat URLs received from unknown sources with suspicion; and for extra protection, you can use an “unphishable” two-factor security keys, such as a YubiKey.
This recent series of phishing attacks is one of the most impressive campaigns of its magnitude to date, according to Group-IB. consequences of such incidents for their partners and customers.”
The magnitude of these threats is also unlikely to diminish anytime soon. Research by Zscaler shows that phishing attacks worldwide are up 29 percent in 2021 compared to the previous year and notes that SMS phishing in particular is growing faster than other types of scams as people have come to recognize fraudulent emails better. Socially manipulated scams and hacks were also seen during the COVID-19 pandemicand earlier this year, we even saw both Apple and Meta sharing data with hackers posing as law enforcement officers.