The hackers who successfully breached Twilio and targeted Cloudflare have been going after dozens of companies across the software, finance, and telecommunications industries, according to security researchers.
The hackers used a phishing kit dubbed “Oktapus” to target over 130 organizations, most of which are based in the US, according to cybersecurity firm Group-IB. The company published(Opens in a new window) a report on Thursday covering the tools used and revealing the possible identity of one of the hackers.
A phishing kit is a set of software tools that can create phishing messages and websites designed to trick unsuspecting users into typing in their login credentials. In this case, the Oktapus hackers have been sending out SMS messages to employees at various companies. These messages lead to seemingly legitimate, but ultimately fake, Okta login pages capable of recording passwords.
“From the victim’s point of view, the phishing site looks quite convincing as it is very similar to the authentication page they are used to seeing. Victims are prompted for their username and password, and once provided, a second page is shown asking for their 2FA (two-factor authentication) code,” Group-IB wrote in the report. The hackers will then quickly use the login credentials, including the 2FA code, to break into an employee’s corporate account.
Group-IB tracked down the Oktapus group’s activities by searching the internet for an image the hackers added to their phishing pages. This led the security firm to uncover the various companies the Oktapus phishing kit has been targeting. Group-IB also managed to download a copy of the hackers’ phishing kit, which the Oktapus group shared on a file-hosting service.
The security
Read more on pcmag.com