A phishing campaign that first made news for breaching phone verification service Twilio (and Twilio client Signal) appears to be bigger than initially realized. A similarity in the technique used by the hackers has linked the campaign to breaches of over 130 other organizations, and attempts on likely thousands more (most of which are based in the United States).
The phishing campaign is focusing on clients of Okta, a third party security verification company that provides service to numerous business clients. The attackers message employees at businesses known to use Okta login portals, attempting to direct them to a fake login page. While security researchers describe their methods as being on the more unsophisticated side, the campaign has managed to steal credentials and 2FA codes from a number of major companies including MailChimp and DoorDash.
Hackers seeking cash, crypto account info, proprietary information from Okta clients
The perpetrators of the phishing campaign have not yet been made known to the public, but security firm Group-IB says that it appears to be a criminal group looking for quick profits. Companies that have been breached have witnessed the hackers going after cryptocurrency accounts and information, any financial information or accounts that might be available, and valuable company insider information.
Group-IB says that they have some identifying information on the attackers, but are keeping it from the public as law enforcement follows up on it. The phishing campaign does not appear to be connected to recent compromises of Okta by the North Korean Lazarus group (in early 2022) and an incident with company security cameras that took place in early 2021.
Employee VPNs should be checked for Okta phishing campaign vulnerability
The phishing campaign makes use of over 160 domains, some of which are intended to look like legitimate Okta or VPN sites. While the approach of sending text messages to employees and attempting to trick them into following a bogus link is basic, Group-IB says that the phishing pages are well done and look very much like the authentic page. Employees should check URLs carefully to ensure that they are valid, and ideally not use links from emails or text messages to log into anything using company credentials.
The attackers were traced by repeated use of some of these domains along with similar scripts, images and fonts. The phishing campaign appears to still be ongoing and has been very successful, taking in nearly 10,000 login credentials (about half of which included MFA codes). The breach of DoorDash appears to have come through a third-party vendor and exposed some partial customer payment information, as well as profile and order information for both customers and employees. MailChimp’s warning about their breach indicates that the attackers had a heavy focus on cryptocurrency companies that use its email marketing platform, going after a little over 200 accounts while they had access to the system.