Cybercriminals are combining vishing attacks with phishing sites which can be altered in real-time to social engineer victims and bypass multi-factor authentication (MFA) protection, the Okta Threat Intelligence has warned.
The alert, issued on January 22, cautioned how the phishing kits are growing in use in vishing campaigns, as cybercriminals attempt to gain access to corporate Google, Microsoft and Okta accounts, as well as user logins for a range of cryptocurrency services.
The phishing kits identified by Okta allow attackers to set up a customized phishing site designed to spoof the service provider they’re attempting to steal login credentials for. The site the victim is directed to can be adapted in real-time in order to appear legitimate.
“This real-time session orchestration provides a new level of control and visibility to the social engineer,” warned the Okta blog post.
Typically, the campaigns begin with the threat actor performing extensive reconnaissance on the target, learning the names of users within the company, the applications and services they run and the phone numbers used in IT support calls.
Using this information, the attacker sets up a customized phishing page designed to look like the service being targeted, before making the vishing call, which spoofs the legitimate phone number of that company’s IT support services.
Attackers Pose as IT Support to Steal Credentials
Posing as IT support on a call, the attacker users social engineering to convince the user to visiting the phishing page. If the user enters their username and password, this is sent to a Telegram channel used by the attackers.
The attackers then leverage the stolen credentials to attempt to login to the legitimate sign-in page of the targeted user. It’s here the attackers assess the situation and adapt their campaign depending on what MFA or authentication solution the target is using.
The phishing kit allows them to quickly generate a fake version of the notification for the MFA tool the organization uses, one which the victim expects to see.
Still on the phone, the attackers then encourage the target to access the MFA push notification. If they do so, they unwittingly allow the attackers to bypass MFA protections and gain full control of the account.
“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages,” said Moussa Diallo, threat researcher at Okta Threat Intelligence.
“They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that is not phishing resistant.”
To help prevent employees falling victim to voice-based phishing attacks organizations ought to encourage employees to be wary about unexpected phone calls. Especially those which appear to come from within the organization and demand urgent action be taken.