Okta SSO accounts targeted in vishing data theft attacks
▼ Summary
– Okta warns of custom phishing kits designed for voice-based social engineering (vishing) attacks to steal SSO credentials.
– These kits operate as adversary-in-the-middle platforms, allowing real-time manipulation and synchronization with MFA prompts during calls.
– Attackers perform reconnaissance, use spoofed numbers, and relay stolen credentials and TOTP codes via platforms like Telegram to bypass MFA.
– The stolen credentials provide access to a company’s integrated platforms (e.g., Salesforce) for data theft, followed by extortion demands.
– Okta recommends using phishing-resistant MFA, such as security keys or passkeys, to defend against these sophisticated attacks.
A new wave of highly sophisticated phishing attacks is specifically targeting employee credentials for Okta’s single sign-on service, using real-time voice calls to bypass traditional security measures. Security researchers warn that these adversary-in-the-middle platforms are sold as a service and enable threat actors to manipulate victims during live phone conversations, making fraudulent multi-factor authentication prompts appear completely legitimate.
The core danger lies in the kits’ design for live interaction. Unlike static phishing pages, these platforms allow an attacker on a call to change the content a victim sees in their browser in real time. As a person enters their username and password, those credentials are instantly forwarded to the attacker, who then attempts to log into the genuine service. When the service responds with an MFA challenge, like a push notification or a one-time password, the attacker can select a matching dialog that instantly updates the phishing page. This synchronization tricks the victim into providing their secondary authentication code, which the attacker intercepts and uses.
These operations are meticulously planned. Threat actors first conduct reconnaissance on a targeted employee, learning which applications they use and gathering corporate IT support phone numbers. They then create customized phishing pages and call the victim using spoofed numbers that appear to be from internal help desks. Credentials entered on the fake site are commonly relayed to Telegram channels controlled by the attackers. This method can bypass modern push-based MFA, including number matching, because the attacker simply tells the victim which number to select while the phishing kit displays the corresponding prompt.
Okta recommends that customers transition to phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys to counter these advanced tactics. The advisory follows private warnings to customers about ongoing social engineering campaigns aimed at credential theft.
Okta’s SSO service acts as a central gateway for countless enterprise platforms, including Microsoft 365, Google Workspace, Salesforce, Slack, and Zoom. Gaining access to an employee’s Okta dashboard provides threat actors with a direct path to a company’s most critical cloud storage, development, CRM, and data analytics tools. In these attacks, employees are called by individuals impersonating IT staff who offer to help set up passkeys for Okta login. The victim is directed to a tailored phishing site, often using domain names containing “internal” or “my” followed by the company name.
Once credentials are stolen, attackers log into the Okta dashboard to see which integrated platforms the employee can access and proceed to exfiltrate data. In one security report sent by the threat actors to a victim, they stated, “We gained unauthorized access to your resources by using a social-engineering-based phishing attack to compromise an employee’s SSO credentials.” The note indicated a preference for stealing data from Salesforce due to the perceived ease of exfiltration. Following data theft, extortion emails are sent to the company demanding payment to prevent publication.
Sources indicate that some of these extortion demands are signed by the notorious ShinyHunters group, though the group declined to comment when contacted. The attacks are currently focused on companies within the fintech, wealth management, financial, and advisory sectors.
In a statement, Okta emphasized that defending against these campaigns requires vigilance. “It is clear how sophisticated and insidious phishing campaigns have become and it’s crucial that companies take all necessary measures to secure their systems and continue to educate their employees on vigilant security best practices,” the company said, directing customers to its security blogs for detailed guidance on identifying and preventing such social engineering attacks.
(Source: Bleeping Computer)
