The cybercrime group ShinyHunters is claiming credit for at least five attacks related to a voice phishing campaign that previously was disclosed by security researchers at Okta.
Okta warned Thursday that a social engineering campaign using custom phishing kits was targeting Google, Microsoft and Okta environments using voice phishing techniques.
The phishing kits were capable of intercepting user credentials and persuading targeted users to skip multifactor authentication.
Security researcher Alon Gal confirmed with Cybersecurity Dive that he was contacted by ShinyHunters last week with claims they had extorted at least three companies in connection with the voice phishing campaign. The claim involved three specific companies, however, Cybersecurity Dive is still working to confirm those claims with the companies.
The initial contact was made after a story posted on Bleeping Computer about the Okta disclosures. That report said Okta single sign-on accounts were targeted in the attacks.
On Monday, Gal said the claim now includes five companies.
Researchers from Sophos told Cybersecurity Dive they are tracking a cluster of about 150 domains created in December and used in voice phishing campaigns leading to data theft and extortion demands.
“We can’t confirm that they have all been used, but the threat actors are creating target-specific domains, themed to reflect single sign-on services and impersonating authentication providers like Okta,” Rafe Pilling, director of threat intelligence at Sophos’s Counter Threat Unit, told Cybersecurity Dive.
Researchers at Google Threat Intelligence Group confirmed they are tracking the threat activity. They were unable to share details. A post by one of the researchers initially referenced the activity, but was later deleted.
A Google spokesperson said neither Google nor any of its products were affected by the social engineering campaign.
A representative for Okta said the company did not have any specific information on any investigation by Google researchers. The representative said if Google was looking into these attacks it would be at the request of a compromised organization, not from Okta.
“Okta Threat Intelligence routinely shares threat research to help companies protect against evolving social engineering techniques,” the representative told Cybersecurity Dive in a statement. “While Okta’s platform and services remain secure, Okta is calling attention to these evolving techniques to help raise awareness and support stronger defenses for customers.”
A spokesperson for Microsoft said the company had nothing to share at the moment, but would provide future updates, if warranted.