Researchers at Okta warn that a series of phishing kits have emerged that are designed to help threat actors launch sophisticated voice phishing (vishing) attacks that can bypass multifactor authentication.
“The most critical of these features are client-side scripts that allow threat actors to control the authentication flow in the browser of a targeted user in real-time while they deliver verbal instructions or respond to verbal feedback from the targeted user,” Okta says.
“It’s this real-time session orchestration that delivers the plausibility required to convince the threat actor’s target to approve push notifications, submit one time passcodes (OTP) or take other actions the threat actor needs to bypass MFA controls.”
The phishing kits allow attackers to guide the victim through the attack flow, which proceeds as follows:
- “The threat actor performs reconnaissance on a target, learning the names of users, the apps they commonly use, and phone numbers used in IT support calls;
- The threat actor sets a customized phishing page live and calls targeted users, spoofing the phone number of the company or its support hotline;
- The threat actor convinces the targeted user to navigate in their browser to the phishing site under the pretext of an IT support or security requirement;
- The targeted user enters their username and password, which is automatically forwarded to the threat actor’s Telegram channel;
- The threat actor enters the username and password into the legitimate sign-in page of the targeted user and assesses what MFA challenges they are presented with;
- The threat actor updates the phishing site in real-time with pages that support their verbal ask for the user to enter an OTP, accept a push notification, or other MFA challenges.”
Moussa Diallo, threat researcher at Okta Threat Intelligence, stated, “Once you get into the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering.
“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.”
Okta has the story.
