What is the 0ktapus Phishing Scam? The Facts, and The Way Forward
By: Drew Gatchell, Director, Threat Detection Engineering @ AppOmni
In late August 2022, cybersecurity firm Group-IB shared their findings of a phishing campaign that targeted Okta credentials and multi-factor authentication (MFA) tokens. The majority of the attacks occurred earlier in the summer.
As of this writing, Group-IB has identified 9,931 compromised user credentials, 5,441 MFA codes, and 136 unique email domains associated with these credentials. The extensive reach of this attack led to its name “0ktapus.”
The threat actor (or group) orchestrated this attack in order to gain control of enterprise systems and steal data. Armed with not only Okta user credentials but also MFA codes, attackers have access to the same enterprise systems as the legitimate user.
This allows attackers to perform account takeovers and modify profile contact information to further hide some of their activities. If the attackers have admin access to critical business systems, sensitive operational and customer data is at their fingertips.
Before you can better protect your company, it’s imperative to first understand how so many users fell victim to this phishing attempt.
The attackers, through means currently unknown, obtained mobile phone numbers of employees at organizations that use Okta’s identity access management (IAM) solutions. The threat actors sent these employees text messages with links to phishing sites that imitated the look-and-feel of their employers’ Okta authentication pages.
Scammers are producing more believable phishing sites everyday. The fake Okta authentication pages looked authentic enough that nearly 10,000 people submitted their user credentials.
Once an unsuspecting employee entered user credentials:
- The phishing site passed along the credentials to the legitimate Okta authentication site.
- The user was then prompted to enter their MFA code, which the legitimate Okta authentication system texted or emailed to the user.
- After entering the MFA code, the phishing site then used this code and the user credentials to capitalize on the session token.
The affected users were unaware that they’d enabled an identical session complete with all their user role privileges.
Due to 0ktapus, enterprise companies such as Klaviyo, Mailchimp, and Twilio experienced breaches that affected cryptocurrency-related accounts, disrupted operations, and attempted to re-register accounts to different mobile devices, among other illicit uses of protected data.
Unfortunately, yes. Threat actors will continue to rely on this well-established playbook:
- Build trust with phishing sites, emails, and texts that appear legitimate.
- Gain access to user credentials and MFA codes.
- Duplicate the compromised user’s session and gain full access to their information and privileges.
In this manner, 0ktapus is decidedly unremarkable. Though the scale is large, the attackers didn’t introduce any new tactics, techniques, and procedures (TTPs) for Security teams to study. The breach does, however, underscore the imperative for ongoing — and robust — user education to help deter phishing scams. As long as they remain lucrative, these types of attacks will continue. Unfortunately, it’s becoming easier for attackers to pull off well-orchestrated scams as detailed in Resecurity’s recent blog post about the new “phishing-as-a-service” provider EvilProxy.
To protect against sophisticated phishing attacks, we recommended continuous training that ensures your employees:
- Check and double check the URL of any site requesting login credentials. SaaS app admins and similar users with highly privileged access should receive in-depth training and support.
- Never click on any URL from a questionable source. If an employee suspects the link is legitimate, they should ask your Security team for guidance.
- Change their password immediately if they suspect their user credentials have been compromised.
Of course, the best user education has its limits. Your security posture management is also vital in the defense from phishing.
AppOmni offers a comprehensive platform to assess the attack surface for SaaS and continuously monitor environments for data leakage and attacks to keep your organization safe.
SaaS security posture management (SSPM) solutions can reveal if any users have incorrectly been assigned administrative or other highly privileged roles and detect drift if security groups or roles have been modified. Ensuring least privilege access to control who can access what data remains one of the best defenses against phishing attacks, drastically reducing the scope of what an attacker can accomplish.
Beyond proper user role adherence, SSPM solutions provide comprehensive activity monitoring and threat detection capabilities specific to SaaS. AppOmni incorporates TTPs from adversary in the middle (AiTM) attacks as well as profiling SaaS breach tactics that typically get re-used against other services. We also simplify threat hunting by providing event data in a normalized and enriched schema.
The system can send alerts for suspicious activities such as:
- A single user session tied to multiple IP addresses
- Logins from suspicious locations
- MFA enrollment changes
- Complex sequences of activities that indicate a more advanced attack method
AppOmni also provides ongoing threat intelligence from AO Labs, whose sole directive is surveying the security landscape and dark web for indicators of compromise (IOC) related to SaaS. This provides customers with visibility specific to SaaS threats and can help organizations better understand the phishing landscape, and incorporate new practices into user education and security protocols.
0ktapus won’t be the last large-scale campaign based on sophisticated phishing techniques. But taking these actionable steps can reduce the odds your organization will be the next victim.