Phishing by phone that evades MFA and attacks the SSO The new corporate attack vector

Companies that rely on single-session start-up services (SSO) such as Okta have just received an alert that again shows how creative and dangerous the attackers are when they combine social engineering with technical tools. Okta researchers have identified phishing kits specifically designed for phone attacks - known as vishing - that function as "adverse-in-the-medium" platforms in real time and are offered in a "service" model. These kits are not static pages: they allow the caller to interact and modify what the victim sees while the call occurs, facilitating the theft of credentials and the evation of multiple defence mechanisms.

According to the report published by Okta, these kits include a control panel from which the attacker guides the authentication flow, updates dialogues displayed on the web and synchronizes the screens with the requests that the legitimate service issues at the time of a login. Thus, when the victim writes his or her user and password on the fraudulent page, these credentials are sent to the attacker to try real access immediately. If an additional authentication challenge - such as a push notification or a TOTP code - appears, the attacker can change the interface the victim sees to match the legitimate request and thus convince her to approve or enter the code she just received, all while maintaining the phone conversation.

The attackers act with planning: they make prior recognition to know which applications a target person uses and the phone numbers associated with the company support, create custom phishing pages that mimic internal domains (for example, variants that include "internal" or "my" next to the company name) and call from suplanted numbers that appear to be the help service. In many of the documented incidents, the data flows between the phishing page and the attacker's backend are retransmitted in real time through technologies such as Socket.IO and through messaging channels such as Telegram, which allows the victim's session to be handled immediately.

This approach makes SSO a particularly attractive goal: a single login can give access to a list of corporate applications - mail, cloud storage, CRM, collaborative tools and more - so compromising an account can open the door to a large volume of valuable information. Okta and the media that have covered the case describe how, once inside the Okta panel, attackers review which applications are associated with the compromised account and extract data from which they contain sensitive information - with specific references to platforms such as Salesforce among the most exploited - and then demand extortion or sell the information.

One of the most worrying techniques these kits allow is the ability to draw modern MFA mechanisms based on push and number matching notifications. By telling the victim exactly what number or action to select in the notification, and by simultaneously showing an identical dialogue on the page, the attacker makes an approval seem legitimate. The same applies to TOTP codes: if the call operator requests the code and the victim introduces it into the apocryphal web, that value reaches the attacker and is used instantly to complete authentication.

Okta recommends that its customers migrate to phishing-resistant authentication methods, such as FIDO2 keys, passwords or their own FastPass solution, which drastically reduce the effectiveness of such attacks because they do not depend on codes or approvals that can be transmitted by the intermediary. You can read Okta's technical notice and recommendations in its entry on how these kits adapt to the script of those they call in: Okta: Phishing kits adapt to the script of callers. Okta also maintains practical guidance to identify and mitigate social engineering campaigns for aid tables at: Help desks targeted in social engineering.

The specialized press has investigated and documented specific cases in which these kits have been used in attacks against companies in the financial and property management sectors, and how criminals have combined initial access with subsequent extortion. A good journalistic summary of what happened can be found in the BleepingComputer coverage: BleepingComputer: Okta wars of viewing phishing kits.

What can organizations and people do to reduce risk? The response goes through several fronts ranging from technology to security processes and culture. Limiting the exposure of delegated credentials and applying the principle of less privilege in access to apps reduces the impact of a commitment. Implementing and prioritizing authentication factors that are not likely to be retransmitted by an intermediary - the hardware keys and FIDO standard-based credentials are an example - offers effective defense against these kits in real time. In addition, adopting controls that detect unusual behaviors at the beginning of the session, inspecting and blocking known phishing domains and strengthening the verification procedures for incoming calls to the technical support helps to cut the social engineering vector by phone.

The continuing training of staff is also key: to teach to verify the authenticity of support calls, not to enter credentials on pages that arrive through unverified links and to use secure channels to confirm sensitive interactions. National cybersecurity centres provide practical guides on how to recognize and respond to phishing and viewing, for example UK documentation at the National Cyber Security Centre: NCSC: Phishing guidance, and organizations like FIDO Alliance explain why public key technologies make life difficult for attackers: FIDO Alliance.

These incidents show two clear lessons: first, that attackers continue to refine the mix between social engineering and automation to create very effective attacks; and second, that security based only on passwords and factors that can be retransmitted will always leave an open door. To carry out planned migration towards phishing-resistant authentication, to combine proactive detection with human verification practices and to reduce the access area through strict permit policies are steps that can no longer be delayed for organizations that handle sensitive data.

If you want to deepen the original research and technical recommendations, check Okta's analysis and the media coverage linked above; both readings offer context and concrete steps to start harden defenses against this type of campaign.