Over 130 organizations, including Twilio, DoorDash, and Signal, have been potentially compromised by hackers as part of a months-long phishing campaign nicknamed “0ktapus” by security researchers. Login credentials belonging to nearly 10,000 individuals were stolen by attackers who imitated the popular single sign-on service Okta, according to a report from cybersecurity outfit Group-IB.
Targets were sent text messages that redirected them to a phishing site. As the report from Group-IB states, “From the victim’s point of view, the phishing site looks quite convincing as it is very similar to the authentication page they are used to seeing.” Victims were asked for their username, password, and a two-factor authentication code. This information was then sent to the attackers.
Interestingly, Group-IB’s analysis suggests that the attackers were somewhat inexperienced. “The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis,” Roberto Martinez, a senior threat intelligence analyst at Group-IB, told TechCrunch.
But inexperienced or not, the scale of the attack is massive, with Group-IB detecting 169 unique domains targeted by the campaign. It’s believed that the 0ktapus campaign began around March 2022 and that so far, around 9,931 login credentials have been stolen. The attackers have spread their net wide, targeting multiple industries, including finance, gaming, and telecoms. Domains cited by Group-IB as targets (but not confirmed breaches) include Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games.
Cash appears to be at least one of the motives for the attacks, with researchers stating, “Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools.”
Group-IB warns that we likely won’t know the full scale of this attack for some time. In order to guard against similar attacks like this, Group-IB offers the usual advice: always be sure to check the URL of any site where you’re entering login details; treat URLs received from unknown sources with suspicion; and for added protection, you can use an “unphishable” two-factor security keys, such as a YubiKey.
This recent string of phishing attacks is one of the most impressive campaigns of this scale to date, according to Group-IB, with the report concluding that “Oktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”
The scale of these threats isn’t likely to decrease any time soon, either. Research from Zscaler shows that phishing attacks increased by 29 percent globally in 2021 compared to the previous year and notes that SMS phishing in particular is increasing faster than other kinds of scams as people have started to better recognize fraudulent emails. Socially engineered scams and hacks were also seen rising during the COVID-19 pandemic, and earlier this year, we even saw that both Apple and Meta shared data with hackers pretending to be law enforcement officials.