Over 130 organizations, including Twilio, DoorDash, and Cloudflare, have been potentially compromised by hackers as part of a months-long phishing campaign nicknamed “0ktapus” by security researchers. Login credentials belonging to nearly 10,000 individuals were stolen by attackers who imitated the popular single sign-on service Okta, according to a report from cybersecurity outfit Group-IB.
As Group-IB goes on to detail, the attackers used that access to pivot and attack accounts across other services. On August 15th, the secure messaging service Signal alerted users that the attackers’ Twilio breach allowed them to reveal as many as 1,900 Signal accounts and confirmed they were able to register new devices to the accounts of a few, which would allow the attackers to send and receive from that account. This week Twilio also updated its breach notification, noting that 163 customers had their data accessed. It also noted that 93 users of Authy, its cloud service for multifactor authentication, had their accounts accessed and additional devices registered.
Targets of the phishing campaign were sent text messages that redirected them to a phishing site. As the report from Group-IB states, “From the victim’s point of view, the phishing site looks quite convincing as it is very similar to the authentication page they are used to seeing.” Victims were asked for their username, password, and a two-factor authentication code. This information was then sent to the attackers.
Interestingly, Group-IB’s analysis suggests that the attackers were somewhat inexperienced. “The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis,” Roberto Martinez, a senior threat intelligence analyst at Group-IB, told TechCrunch.
But inexperienced or not, the scale of the attack is massive, with Group-IB detecting 169 unique domains targeted by the campaign. It’s believed that the 0ktapus campaign began around March 2022 and that so far, around 9,931 login credentials have been stolen. The attackers have spread their net wide, targeting multiple industries, including finance, gaming, and telecoms. Domains cited by Group-IB as targets (but not confirmed breaches) include Microsoft, Twitter, AT&T, Verizon Wireless, Coinbase, Best Buy, T-Mobile, Riot Games, and Epic Games.
Cash appears to be at least one of the motives for the attacks, with researchers stating, “Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools.”
Group-IB warns that we likely won’t know the full scale of this attack for some time. In order to guard against similar attacks like this, Group-IB offers the usual advice: always be sure to check the URL of any site where you’re entering login details; treat URLs received from unknown sources with suspicion; and for added protection, you can use an “unphishable” two-factor security keys, such as a YubiKey.
This recent string of phishing attacks is one of the most impressive campaigns of this scale to date, according to Group-IB, with the report concluding that “Oktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”
The scale of these threats isn’t likely to decrease any time soon, either. Research from Zscaler shows that phishing attacks increased by 29 percent globally in 2021 compared to the previous year and notes that SMS phishing in particular is increasing faster than other kinds of scams as people have started to better recognize fraudulent emails. Socially engineered scams and hacks were also seen rising during the COVID-19 pandemic, and earlier this year, we even saw that both Apple and Meta shared data with hackers pretending to be law enforcement officials.
Correction August 26th, 2:26PM ET: An earlier version of this story included Signal as one of the companies compromised by the attacks. It was not one of the victims with security breached by the attackers. The attackers breached Twilio, which handles text messaging for phone number verifications, and were able to use that access to register new devices to the accounts of Signal users, without having any access to Signal directly. We regret the error.