A massive phishing effort targeted over 130 businesses, including Twilio and Signal

Over 130 companies, including Twilio, DoorDash, and Cloudflare, may have been infiltrated by hackers as part of a months-long phishing effort dubbed “0ktapus” by security experts. According to a study from cybersecurity firm Group-IB, attackers impersonating the popular single sign-on service Okta obtained login data for roughly 10,000 people.

According to Group-IB, the attackers exploited that access to pivot and attack accounts on other services. On August 15th, the encrypted messaging service Signal notified users that the attackers’ Twilio breach revealed as many as 1,900 Signal accounts and verified they were able to register additional devices to the accounts of a handful, allowing the attackers to send and receive messages from that account. Twilio also updated its breach warning this week, indicating that 163 customers’ data had been accessed. It also said that 93 users of Authy, its multifactor authentication cloud service, had their accounts accessed and new devices registered.

The phishing campaign’s targets were given text messages that pointed them to a phishing site. According to the Group-IB assessment, “from the victim’s perspective, the phishing site seems fairly convincing since it is quite similar to the login screen they are accustomed to seeing.” Victims were prompted to provide their login, password, and two-factor authentication code. This data was then sent to the attackers.

Surprisingly, Group-study IB’s indicates that the attackers were unskilled. “The phishing kit was improperly constructed, and the manner it was built allowed for the extraction of stolen credentials for additional study,” said Roberto Martinez, a senior threat intelligence analyst at Group-IB.

However, unskilled or not, the assault is huge, with Group-IB identifying 169 distinct domains targeted by the operation. The 0ktapus campaign is thought to have begun around March 2022, with around 9,931 login credentials taken so far. The attackers have cast a broad net, focusing on a variety of businesses such as banking, gambling, and telecommunications. Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games are among the domains mentioned by Group-IB as targets (but not verified breaches).

According to Group-IB, we won’t know the entire scope of this assault for some time. To prevent against such attacks, Group-IB recommends the typical precautions: always verify the URL of any site where you’re inputting login information; take URLs obtained from unknown sources with caution; and, for further security, use a “unphishable” two-factor security key, such as a YubiKey.

According to Group-IB, this recent string of phishing attacks is one of the most impressive campaigns of this scale to date, with the report concluding that “Oktapus demonstrates how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”

The magnitude of these risks is unlikely to diminish any time soon. According to Zscaler research, phishing attempts climbed by 29 percent worldwide in 2021 compared to the previous year, with SMS phishing growing faster than other types of frauds as users learned to spot phoney emails. During the COVID-19 epidemic, socially engineered frauds and attacks were also on the rise, and earlier this year, we learned that both Apple and Meta traded data with hackers posing as law enforcement officers.