- Hackers use adaptable phishing kits with vishing to bypass real-time MFA
- Victims are profiled, tricked via fake calls and redirected to customized phishing websites
- Okta urges phishing-resistant 2FA and network controls to block these attacks
Hackers have begun using highly sophisticated, adaptive phishing kits that complement their vishing attacks by adapting in real time, experts have warned.
Security researchers from Okta revealed that they “discovered and dissected” several custom phishing kits that are currently being used to target people’s Google, Microsoft and Okta accounts, as well as a number of cryptocurrency providers.
The attack starts with the threat actor profiling the victim, learning about the apps and the IT support phone numbers they use. They then deploy a custom phishing website and call victims via a spoofed company or support phone number.
Uses phishing-resistant 2FA
In the next steps, they trick the victim into visiting the customized phishing website and trying to log in. The credentials are immediately forwarded to the attacker, who in turn uses the data to log into the legitimate service. If presented with any form of MFA (non-phishing resistant), they can update the phishing page in real time to prompt the user to complete the process.
Okta says that the quality of the tool and the flexibility it provides made vishing, as an attack type, more popular:
“When you get in the driver’s seat of one of these tools, you can immediately see why we’re observing higher volumes of voice-based social engineering,” said Moussa Diallo, threat researcher at Okta Threat Intelligence.
“Using these kits, an attacker on the phone of a targeted user can control the authentication flow when that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect sync with the instructions they give during the call. The threat actor can use this sync to defeat any form of MFA that isn’t resilient.”
Defending against these attacks requires implementing phishing-resistant 2FA, Okta stressed. It may include one of its products or an access key. “Or both, for the sake of redundancy”. The company also said threat actors are “frustrated” when network zones and tenant access control lists are created, denying access via the anonymization services they prefer.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
