Security News > 2022 > August > Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign

Criminals behind the cyberattack attempts on Twilio and Cloudflare earlier this month had cast a much wider net in their phishing expedition, targeting as many as 135 organizations - primarily IT, software development and cloud services providers based in the US. The gang went after the employees of Okta customers, sending victims text messages with malicious links to sites spoofing their company's authentication page to harvest their work login credentials and multi-factor authentication codes.

In research published Thursday, the threat intel team revealed the Oktapus phishing trip, which began in March, snaffled 9,931 user credentials and 5,441 multi-factor authentication codes.

Of course, the attackers tried and failed to hit Cloudflare, and successfully got into Twilio, which then allowed them to target the users of Twilio customer Signal and gain the phone numbers and registration codes for 1,900 users of the encrypted messaging service.

Group-IB's research includes a screenshot of some of the phishing sites that mimicked Okta authentication pages, and based on that, targeted companies include AT&T, Verizon, T-Mobile and email service Mailgun.

In total, the researchers found 169 unique domains involved in Oktapus, and they noted that the phishing kit used by the attackers included a legitimate image used by sites that require Okta authentication.

The phishing sites, which looked very similar to the organizations' real authentication pages, asked employees to enter their username and password, and then asked them for a 2FA code.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/25/twilio_cloudflare_oktapus_phishing/