Okta Users Targeted by Advanced Phishing & Vishing Kits

A new wave of sophisticated phishing kits is enabling threat actors to launch highly effective attacks against corporate users, particularly those of major identity platforms. These kits allow attackers to intercept login credentials in real-time while simultaneously controlling the authentication flow displayed in a victim’s browser. Security researchers warn that these custom tools, often offered on an as-a-service basis, are being used by a growing number of intrusion groups targeting organizations that rely on Google, Microsoft, Okta, and various cryptocurrency providers.

The kits represent a significant evolution in vishing, or voice phishing, techniques. Attackers can adapt phishing pages on the fly to match a live phone conversation, syncing the browser display with whatever legitimate multi-factor authentication (MFA) prompts the attacker encounters. This creates a seamless, convincing experience for the target, dramatically increasing the likelihood of success.

From the victim’s perspective, the attack often begins with a call from someone impersonating an IT help desk. The caller, having researched the target, uses a spoofed number and a convincing pretext, like requiring a security update or passkey setup, to direct the user to a fraudulent login page. As the user enters their username and password, the credentials are instantly forwarded to the attacker, typically via a messaging service like Telegram.

The attacker then uses those credentials on the genuine sign-in portal. When prompted for a second authentication factor, the social engineer verbally primes the victim to expect the same challenge. The phishing page is updated in real-time to display an identical MFA prompt, making a suspicious request appear legitimate. After collecting the one-time code or approving the push notification, the attacker completes the login on the real site while showing the user a reassuring message like “Security check successful.”

This hybrid approach is alarmingly effective at bypassing common MFA methods, including SMS codes, voice OTPs, and even push notifications with number matching. A social engineer on the phone can simply ask the user to enter or select a specific number displayed on the phishing page. Security experts anticipate that these vishing-enabled, adversary-in-the-middle (AitM) phishing kits will quickly become the standard due to their high success rates.

The threat landscape is shifting from generic kits to bespoke panels tailored for specific services. Where attackers once purchased access to basic kits targeting all popular identity providers, a new generation of fraudsters is selling specialized access for each platform. This customization makes attacks more difficult to detect and resist.

To defend against these advanced campaigns, organizations are urged to adopt phishing-resistant MFA. Options like FIDO2/WebAuthn security keys, passkeys, smart cards, or certificate-based authentication provide the strongest protection because they cannot be intercepted via a phishing site. Additionally, companies can frustrate these actors by implementing network zones or tenant access control lists that deny connections from the anonymizing services and proxy networks commonly used by threat actors.

In related news, the cyber extortion group ShinyHunters has claimed access to systems at business intelligence firm Crunchbase and financial advisory company Betterment, allegedly by obtaining Okta single sign-on credentials through vishing attacks. These claims have not been independently verified by the affected companies at this time.

(Source: HelpNet Security)