Overview
- Okta reports that custom vishing kits sold as a service are in active use by multiple intrusion actors targeting Google, Microsoft, Okta, and cryptocurrency platforms.
- These adversary-in-the-middle platforms let attackers control phishing pages in real time to mirror authentication flows and defeat push or number-matching MFA challenges.
- Attackers spoof IT support numbers, direct employees to company-branded phishing sites, and forward captured credentials and TOTP codes to their backends, commonly via Telegram.
- Once into an employee’s SSO, intruders pivot to integrated apps such as Salesforce to steal data and then issue extortion demands, with some demands reportedly signed by ShinyHunters.
- Okta urges adoption of phishing-resistant MFA such as FIDO2 security keys, passkeys, or Okta FastPass along with stronger user training and access restrictions like network zones.