Phishing Attack From 0ktapus Target 130 Institutions, 10 Thousand Credentials Login Dicur

Phishing attack from Oktapus managed to steal 10,000 login credentials. (photo: doc. unsplash)

JAKARTA - More than 130 organizations, including Twilio, DoorDash, and Cloudflare, have been potentially compromised by hackers as part of a months-long phishing campaign dubbed "0ktapus" by security researchers. According to a report from the Group-IB cybersecurity group, nearly 10,000 people's login credentials were stolen by attackers who imitated Okta's entry system service,

As Group-IB explains in more detail, attackers use that access for pivots and attack accounts across all other services. On August 15, Signal's secure messaging service notified Twitterlio users that the attackers allowed them to disclose as many as 1,900 Signal accounts and confirmed that they could register new devices with multiple accounts, which would allow attackers to send and receive from that account.

This week Twilio also updated its breach notifications, which also noted that 163 subscribers had accessed their data. It also notes that 93 Authy users, cloud services for multifactor authentication, have accessed their accounts and registered additional devices.

The phishing campaign target was sent a text message that directed them to the phishing site. As stated by the report from Group-IB, From the victim's point of view, the phishing site looks quite convincing because it is very similar to the authentication page they usually see. The victim was asked for username, password, and two-factor authentication code. This information was then sent to the attacker.

Interestingly, the Group-IB analysis shows that the attackers are a bit inexperienced. The analysis of the phishing kit revealed that it was not well configured and its development provided the ability to extract stolen credentials for further analysis, Roberto Martinez, senior threat intelligence analyst at Group-IB, told TechCrunch.

But experienced or not, the scale of the attack was enormous, when Group-IB detected 169 unique domains targeted by the campaign. It is believed that the 0ktapus campaign began around March 2022 and so far, some 9,931 login credentials have been stolen.

Para penyerang telah menyebarkan jaringan mereka secara luas, menargetkan beberapa industri, termasuk keuangan, gim, dan telekomunikasi. Domain yang dikutip oleh Group-IB sebagai target (tapi tidak dikonfirmasi pelanggarannya) termasuk Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, dan Epic Games.

Cash seems to be one of the motives of their attacks. Seeing financial companies on the compromised list gives us the idea that attackers are also trying to steal money. In addition, some companies are targeted to provide access to crypto assets and markets, while others are developing investment tools, said a source at Group-IB, as quoted by The Verge.

Group-IB warns that they may not be aware of the full scale of this attack for some time. To avoid similar attacks like this, Group-IB offers the usual advice: always make sure to check any site URL where you enter login details; treat URLs received from unknown sources with more caution; and for additional protection, you can use a two-factor security key that is unfraudable, such as YubiKey.

According to Group-IB, a recent series of phishing attacks is one of the most impressive campaigns on its scale to date. Their report concludes that 0ktapus shows how vulnerable modern organizations are to some of the basic social engineering attacks and how far-reaching the effects of these incidents could have affected partners and their customers.

Research from Zscaler shows that phishing attacks increased by 29 percent globally in 2021 compared to the previous year. This threat scale will also not decrease in the near future.

They also note that SMS phishing is also increasing faster than other types of scams because people are starting to better recognize fraudulent emails. Socially engineered scams and hacks also seemed to increase during the COVID-19 pandemic, and earlier this year, Zscaler even noticed that Apple and Meta shared data with hackers pretending to be law enforcement officers.