More than 130 organizations, including Twilio, Best Buy, DoorDash, and Cloudflare, were potentially compromised by hackers in a months-long phishing campaign dubbed “0ktapus” by security researchers. The credentials of nearly 10,000 users were stolen by attackers who mimicked the popular Okta single sign-on service, according to a report by Group-IB, a cybersecurity firm.
According to Group-IB, attackers used this access to modify and attack accounts on other services. On August 15, secure messaging service Signal warned users that the Twilio hack allowed attackers to expose up to 1,900 Signal accounts and confirmed that they were able to register new devices to some of the accounts, allowing attackers to send and receive messages from the account.
Twilio also updated its breach notice this week, noting that 163 customers had accessed the data. The company also noted that 93 users of Authy, its cloud-based multifactor authentication service, accessed their accounts and registered additional devices.
Content
How did the phishing attack happen?
Phishing campaign targets were sent text messages that redirected them to the phishing website. According to the Group-IB report, “From the victim’s point of view, the phishing site looks quite convincing as it is very similar to the authentication page they are used to seeing.” Victims were asked to enter their username, password, and two-factor authentication code. This information was then sent to the attackers.
What’s curious is that Group-IB’s analysis suggests that the attackers were somewhat inexperienced. “The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis,” Roberto Martinez, senior threat analysis analyst at Group-IB, told TechCrunch.
Whether their path was experienced or not, the scale of the attack is enormous. Group-IB discovered 169 unique domains targeted by the campaign. The 0ktapus campaign is believed to have begun around March 2022, and some 9,931 credentials have been stolen so far.
The intruders have spread their networks widely, targeting a variety of industries, including financial, gaming, and telecommunications. Domains mentioned by Group-IB as targets (but not confirmed hacked) include Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games.
What was the motivation of the hackers?
Apparently, at least one of the motivations for the attacks was money. The researchers stated, “Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools.”
How to secure against such attacks
Group-IB states that the full extent of this attack is unlikely to be known for some time. And they recommend the following methods to protect against such attacks:
- Always check the URL of any site where you enter login information.
- Be suspicious of URLs derived from unknown sources.
- And for additional protection, you can use “unsinkable” two-factor security keys such as YubiKey.
According to Group-IB, this recent series of phishing attacks is one of the most impressive campaigns of this scale to date. The report concludes that “Oktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”
The magnitude of these threats is unlikely to diminish anytime soon. Research by Zscaler shows that phishing attacks worldwide increased by 29 percent in 2021 over the previous year, and notes that SMS phishing, in particular, is growing faster than other types of scams as people have become better at recognizing fraudulent emails.
