Threat actors who specialize in vishing (i.e., voice phishing) have started using phishing kits that can intercept targets’ login credentials while also allowing attackers to control the authentication flow in a targeted user’s browser in real-time.
At least two custom-made phishing kits are currently used by a number of threat actors that go after credentials and authentication factors to gain access to corporate systems and assets.
“These custom kits are made available on an as-a-service basis and are increasingly used by a growing number of intrusion actors targeting Google, Microsoft, Okta and a range of cryptocurrency providers,” Okta’s threat researchers have warned.
“They can be adapted on the fly by callers to control what pages are presented in the user’s browser, in order to sync with the caller’s script and whatever legitimate [multi-factor authentication] challenges the caller is presented with as they attempt to sign in.”
The C2 panel of a custom phishing kit that can control the authentication flow on phishing pages (Source: Okta Threat Intelligence)
More effective vishing attacks
An attack powered by these phishing kits often doesn’t raise the target’s suspicion.
From the attackers’ perspective, it usually unfolds like this:
1) The attacker researches the target: finds out their name, the apps they use, and the phone number they are instructed to contact when they need IT support
2) The attacker creates a custom phishing page, spoofs that phone number to impersonate the IT help desk, and calls the target
3) The attacker convinces the target to visit the phishing page under the pretext of a security requirement (e.g., setting up a passkey, verifying the security of their account, etc.)
4) The target enters their username and password, which get forwarded to the attacker via Telegram
5) The attacker enters them in the legitimate sign-in page and is asked to enter the second authentication factor to complete the sign-in process
6) After verbally priming the target to expect it, the attacker updates the phishing site in real-time to show the same MFA challenge, thus “lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge [they] didn’t initiate”
7) The attacker collects and uses the entered authentication factor in the legitimate sign-in page while showing the targeted user a notification intended to reassure them (e.g., “Security check successful.”)
“It’s worth noting that these hybrid phishing operations are also capable of bypassing push notifications that use number challenge/number matching as an additional method of verification,” Okta’s researchers pointed out.
“A social engineer interacting on the phone with a targeted user can simply request a user to choose or enter a specific number.”
Vishing-enabled phishing kits expected to become the norm
Phishing kits with adversary-in-the-middle (AitM) capability have been popular for years, and this vishing-focused evolution is expected to become standard for phishing kits quickly.
“Where threat actors could once pay for access to a kit with basic features that targeted all popular Identity Providers (Google, Microsoft Entra, Okta, etc.) and cryptocurrency platforms, a new generation of fraudsters are attempting to sell access to bespoke panels for each targeted service,” the company noted.
Because attackers can control the pages shown to targets and synchronize them with spoken instructions, they are improving their success rate and defeating MFA not resistant to phishing attacks: SMS or voice one-time passwords, push-based MFA, and app-based time-based one-time passwords.
Phishing-resistant MFA options like FIDO2 / WebAuthn security keys, passkeys, smart cards/PIV, or certificate-based authentication offer the strongest protection.
“Social engineering actors can also be frustrated by setting network zones or tenant access control lists that deny access via the anonymizing services favoured by threat actors,” Okta advised.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!