0ktapus Phishing Kit Deployed in Massive Campaign

A large-scale phishing campaign that was executed recently affected over a hundred organizations and companies. The tool used bears the same name as the threat actor behind the phishing campaign - 0ktapus.

The campaign is estimated to have started as early as March 2022 and extended over months. Almost all entities targeted in the campaign used the Okta platform as their identity management platform of choice, which is also why the campaign was dubbed 0ktapus.

Credentials and multi-factor authentication codes intercepted and stolen in the attack were later used to gain illegal access to victim networks through VPNs and devices providing remote access.

The list of victims is as impressive as it is lengthy and includes names such as T-Mobile, Slack, AT&T Mobile, CoinBase, Epic Games, Microsoft, Best Buy and Twitter.

The attack was pulled off using malicious SMS messages. The malicious texts contained a link to a phishing portal, doctored to resemble a legitimate Okta login page. The victims who took the bait had to enter both their login credentials and their multi-factor authentication codes in the phishing form. The campaign was executed using nearly 170 domains that were operated by 0ktapus.

Once stolen, login credentials were forwarded to a Telegram channel controlled by the attackers. Nearly 10 thousand user credential strings were stolen in the attack, together with over 3 thousand emails.

August 29, 2022