Executive Summary
Okta has issued a warning about sophisticated vishing (voice-based social engineering) attacks targeting single sign-on (SSO) credentials. Threat actors are using custom phishing kits designed specifically for real-time voice call interactions to steal Okta SSO credentials and conduct data theft operations. These attacks are currently active and targeting companies in the Fintech, financial, and advisory sectors.
Key Takeaways
- Phishing kits are sold as a service and used by multiple hacking groups.
- Attacks are highly planned with reconnaissance on targeted employees.
- Modern push-based MFA, including number matching, can be bypassed through social engineering.
- Okta SSO acts as a gateway to multiple enterprise platforms (Microsoft 365, Google Workspace, Salesforce, Slack, etc.).
- Attacks are ongoing and actively targeting specific industry sectors.
Technical Details
Attack Methodology:
Initial Contact
- Attackers impersonate IT staff from the targeted company
- Use spoofed corporate or helpdesk phone numbers
- Offer to help employees set up passkeys for Okta SSO login
Technical Execution
- Victims are directed to adversary-in-the-middle phishing sites that mimic legitimate login pages.
- Phishing kits operate as a service model with real-time manipulation capabilities.
- Credentials and TOTP codes are captured and relayed to attackers via Telegram channels.
- Attackers log in simultaneously while still on the phone with the victim.
- MFA challenges are bypassed by directing victims to enter codes or select specific numbers.
Post-Compromise Activity
- Attackers access the victim’s Okta SSO dashboard.
- Data exfiltration primarily targets Salesforce and other sensitive platforms.
- Immediate extortion demands are sent upon detection.
- Some attacks are attributed to the ShinyHunters extortion group.
Indicators of Compromise (IoCs)
- inclusivity-team.onrender.com (Socket.IO server for real-time credential relay)
Mitigation Options
Technical Controls
- Implement phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys.
- Monitor for unauthorized access attempts to Okta SSO dashboards.
- Implement anomalous login detection and alerting.
- Review and restrict access to sensitive platforms.
- Monitor for:
- Domains containing the company name plus “internal” (e.g., [company]internal.com)
- Domains containing “my” prefix (e.g., my[company].com)
Organizational Measures
- Educate employees on vishing attack techniques and social engineering tactics.
- Establish verification procedures for IT support calls.
- Create official channels for IT support requests.
- Conduct regular security awareness training focused on voice-based attacks.
Detection and Response
- Monitor for suspicious login patterns and geographic anomalies.
- Implement session monitoring for unusual access to multiple platforms.
- Establish incident response procedures for suspected credential compromise.
- Review Okta access logs for unauthorized dashboard access.
