Phishing campaign targeting hundreds of companies, including DoorDash and Signal

0
41


Photomay / Shutterstock.com

Security researchers are investigating a large-scale phishing attack targeting more than 130 companies, including financial institutions, messaging services, and telecom carriers. The scope of this hacking campaign, dubbed “0ktapus”, may take several years to fully unravel.

For clarity, this phishing campaign has nothing to do with the recent LastPass data breach. But it is related to the Twilio and DoorDash attacks that were reported on August 8 and August 25.

0ktapus stole nearly 10,000 login credentials

The 0ktapus phishing campaign targets major US corporations, minus a few outliers based in other countries around the world. And surprisingly, 0ktapus’ target list includes Microsoft, AT&T, Verizon, Coinbase, and Twitter; Again, these companies are objectivesand we don’t know if they were successfully hacked.

As of August 26, Twilio and DoorDash are the only major companies to have announced a 0ktapus data breach. Both companies say hackers accessed user data, though Twilio says login credentials are secure. DoorDash warns that a small group of customers had their login and payment information stolen.

A Cloudflare report explains how the 0ktapus scheme works. Basically, “automated” text messages are sent to a ton of targeted company employees (including former employees) warning that their login information has expired. A link embedded in the text messages leads to a fake version of their employer’s website, prompting the user to update their password.

All companies targeted by this campaign use Okta’s identity and access management services. And they all protect employee accounts using two-factor authentication (2FA). If an unknown device attempts to log into an employee’s account, the employee receives a verification code on their phone.

So, 0ktapus web pages mimic Okta’s identification system. When an employee types their username and password on an 0ktapus web page, they are automatically forwarded to a secret Telegram channel. Hackers take this information and attempt to log into an employee’s account, triggering a 2FA verification process. The victim is asked to share a 2FA verification code from their phone, which gives hackers access to a corporation’s backend.

We do not know the reason behind these attacks

A cyber crime lab full of computers
www.rawpixel.com/Shutterstock.com

This phishing campaign has a relatively clear narrative. Group-IB reports that 0ktapus initially targeted telcos, which may have provided the phone numbers for subsequent 2FA phishing attempts.

Most of these phishing attempts targeted corporate employees. In theory, the group behind 0ktapus could have stolen anything from the corporations, although current reports suggest the group was after customer data. This information could be used in future attacks against companies or individuals, but unfortunately, we are not sure what the 0ktapus group got.

And this is where things get a bit frustrating; the 0ktapus campaign was a bit messy. Group-IB researchers call it “hobbyist,” noting that the 0ktapus group failed to set up its phishing kit properly.

As we mentioned earlier, 0ktapus tricked people into sharing 2FA verification codes (and login details) with hackers. But these verification codes expire after a few minutes, so hackers can’t get into an account if they’re not fast enough. And evidently, the 0ktapus group sat in front of their computers all day to by hand write 2FA codes, instead of using a bot to automatically enter information and hijack accounts.

Furthermore, the victims of this phishing scheme were forced (by the phishing domains) to download a genuine version of AnyDesk. You know, a remote desktop software for PC. This software is completely useless when targeting people through text messages.

We are frustrated that companies fell for a “hobbyist” phishing scheme. Especially one with such a clear paper trail.

Security researchers may have identified a hacker

an image of "Subject X" Telegram account, which uses a profile picture of Kermit the Frog with a cape.
Group-IB

Group-IB researchers have discovered 169 unique domains associated with 0ktapus. Most of these domains are thinly disguised copies of corporate websites and use URLs as http://att-mfa.com/. (Don’t visit this URL, but note that it uses HTTP instead of HTTPS, an obvious sign of phishing.)

Group-IB did not need to go goose hunting to find these domains. The group behind 0ktapus reused the same unique fonts, image files, and scripts on their fake websites. Once you discover a single 0ktapus domain, finding the rest is a piece of cake.

More importantly, Group-IB analyzed the 0ktapus phishing kit to find its associated Telegram channel. And one user of this channel, a 22-year-old programmer nicknamed “Subject X,” was tracked down and identified. Comments left by “Subject X” in other Telegram groups revealed his Twitter account and his alleged location.

Despite the relative success of 0ktapus, it is clearly an amateur operation. That’s great news for authorities, but it’s also a sign that corporations don’t take security seriously.

What should you do?

Yubico FIDO C NFC security key
Yubico

We still don’t know enough about the 0ktapus campaign. Presumably, various companies must come forward and announce that they were hacked. Given the breadth of this phishing scheme, it could take years for all the details to come to light.

That said, we can only give you the usual advice:

  1. Inspect any URL that is sent via email or text message.
  2. Do not interact with websites that use HTTP instead of HTTPS.
  3. If someone sends you a work-related URL or request, verify that it’s authentic with your employer.
  4. Enable two-factor authentication when possible.
  5. Use a password manager to generate unique login credentials for each website.
  6. If your work involves sensitive data, ask your company’s security team about FIDO2 solutions like YubiKey.
  7. Add a fraud alert to your credit report to reduce the financial impact of identity theft.

These steps will significantly improve your security. They will also make sure that in the event of a data breach, you can respond quickly and (hopefully) protect yourself.

Once again, this is a developing story. We will update this article as we get new information about the 0ktapus campaign. For up-to-date tech news, join our free newsletter.