Companies such as Twillo, Signal, DoorDash, and Cloudfare have been targeted in a vast phishing campaign nicknamed 0ktapus. The hackers conducted this months-long security campaign, in which they were able to steal the login credentials of 10,000 individuals.
According to a report from Group-IB, a cybersecurity outfit, the attackers imitated the service Okta, a popular sign-on service. The attackers used this access to attack many accounts across other services.
On August 15th, Signal, a secure messaging service, alerted the users. They informed them that the attackers’ Twilio breach might allow them to reveal up to 1900 Signal accounts. Group-IB also confirmed that they would be able to register new devices to a few accounts. By doing so, the attackers would be able to send and receive from that account.
Twilio has also updated its breach notifications. They have noted that 163 customers’ data has been accessed. Furthermore, 93 Authy users, their cloud service for multifactor authentication, had had their accounts accessed, and the attackers registered additional devices onto them.
Those who were targeted by the phishing campaign were sent text messages, which redirected them toward a phishing site. This site looked pretty similar to authentication pages, which are quite common. The victims were asked for their username, password, and a two-factor authentication code. The page then forwarded such sensitive information to the attackers.
According to the analysis of Group-IB, the attackers were inexperienced because the phishing kit was poorly configured on closer inspection. Roberto Martinez, a senior threat intelligence analyst at Group-IB, noted that the phishing kit had been developed in a way that allowed it to extract stolen credentials for further analysis by the attackers.
However, despite the inexperienced kit, the scale of the attack was massive as Group-IB identified 169 unique domains which were targeted. They believe that the campaign started around March 2022, and as of now, the attackers have stolen 9931 login credentials.
Read Also
- Apple is Updating a Few Sounds in The New iOS 16
- XCSSET macOS Malware Has Been Updated to Python 3 To Attack macOS Monterey Users
- In a $350 Million Deal, the Web-Hosting Firm Cloudways Has Been Bought by DigitalOcean
- Facebook’s Configuration Change Turns News Feeds Into Chaos
- The Nothing Phone (1) Won’t Have the Android 13 Just Yet
- WhatsApp Accounts on Counterfeit Phones Are Being Hacked Using Backdoors
- DoNot Haker’s Malware Toolkit Received an Update With Improved Capabilities