A phishing campaign nicknamed 'Oktapus' by security researchers attacked over 130 countries including Twilio, DoorDash, and Cloudflare. Nearly 10,000 individuals' login credentials were stolen by attackers who were imitating single sign-on service Okta.
According to a report by cybersecurity outfit, Group-IB, attackers used the service to attack other accounts of their victims. Signal warned its users of the attack on August 15, detailing that 1,900 accounts had been breached, while Twilio's 163 customers had their data accessed in the attack.
The targets of the attack received text messages redirected from the phishing site which looked "quite convincing as it is very similar to the authentication page they are used to seeing”.The site asked users for their username, password, and a two-factor authentication code, to send to the attackers.
Group-IB’s Roberto Martinez, the analysis suggested that attackers were amateur and inexperienced as it had been "poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis".
However, the massive attack was able to target 169 unique domains and steal 9,931 login credentials since March 2022. The attackers also clawed their way to big tech companies like Microsoft, T-Mobile, Verizon, Coinbase, and more.
Researchers said that "seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools.”