The “0ktapus” phishing campaign targets more than 130 companies
A large-scale phishing campaign dubbed “0ktapus” has taken its toll, compromising more than 130 organizations around the world, including companies like Twilio, Best Buy and Doordash.
During the attack, the login credentials belonging to nearly 10,000 people were stolen by the attackers who mimicked the popular Okta single sign-on service, which was used by all compromised companies.
The targets of the phishing campaign received text messages that redirected them to a phishing site manipulated by the attackers.
Group-IB, the cybersecurity group tasked with investigating these attacks, said: “From the perspective of the victim, the phishing site looks pretty compelling because it’s very similar to the authentication page they have on the website. ‘used to seeing.’
Therefore, the victims were asked to provide their username, password and a two-factor authentication code.
This information was then sent to attackers who used these credentials to launch targeted attacks on multiple organizations in a coordinated effort.
The main objective of the attack was to obtain the login credentials and two-factor authentication (2FA) codes of users from the targeted organizations.
Subsequently, with this information in hand, the attackers could gain unauthorized access to any company resources to which the victims have access.
Group-IB adds: “This case is interesting because despite the use of low-skilled methods, it was able to compromise a large number of well-known organizations.”
Once attackers were in the systems, they were able to circumvent and launch new attacks by further exploiting organizations’ digital infrastructure.
Who are the targets?
The 0ktapus phishing campaign reportedly started around March this year.
To date, it is estimated that around 9,931 login credentials have been stolen from 136 organizations around the world.
The attackers have extended their network widely, targeting several sectors, including finance, gaming and telecommunications.
The majority of these attacks were launched against companies headquartered in the United States, with an undisclosed Australian company as well.
Companies like Twilio, Best Buy, and Doordash have already been vulnerable to attacks, with Cloudfare able to thwart the threat.
Domains cited by Group-IB as targets (but no confirmed breaches) include Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games.
Who is behind these attacks?
During Group-IB’s investigation, it discovered that code from the hacker’s phishing kit revealed configuration details of the Telegram bot the attackers were using to drop compromised data.
Analyzing the phishing kit, the researchers concluded that the attackers are “inexperienced”, however, the scale at which the attacks were carried out was “massive”.
Group-IB has identified one of the administrators of the Telegram group who uses the handle “X”, whose GitHub and Twitter handles suggest they may reside in North Carolina.
Twitter handle for ‘X’.
Cash appears to be at least one of the motives for the attacks, with the researchers saying, “Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money.”
Additionally, some of the targeted companies provide access to crypto assets and markets, while others develop investment tools.