Security researchers describe a phishing campaign attributed to 0ktapus that targets Okta identity credentials, using a large set of look-alike domains to harvest user data. The article catalogs hundreds of IPs and domains used in the campaign’s infrastructure to lure victims. #0ktapus #Okta #phishing #credentials #SSO
Keypoints
- The 0ktapus phishing operation targets Okta identity credentials through credential-phishing pages.
- The campaign relies on an extensive network of look-alike domains and subdomains to host its pages (e.g., box-okta.org, okta-sso.net, twilio-sso.com, mailchimp-okta.com).
- Phishing infrastructure is tied to numerous IP addresses to host and route malicious pages (e.g., 45.76.80.199; 66.42.107.233).
- Impersonation spans multiple brands and services (Teleperformance, Transcom, Sykes, Box, KuCoin, Twilio, etc.).
- The study catalogs a long list of compromised or spoofed domains used to steal Okta credentials.
- Source attribution is Group-IB’s analysis on the 0ktapus phishing campaign.
MITRE Techniques
- [T1566.002] Phishing – Spearphishing Link – The campaign uses phishing pages to collect credentials, described as ‘the phishing campaign going after okta identity credentials.’
- [T1078] Valid Accounts – Use of stolen Okta credentials to access Okta-protected resources. The campaign is described as going after Okta identity credentials, i.e. ‘the phishing campaign going after okta identity credentials.’
Indicators of Compromise
- [IP Address] Phishing infrastructure – 45.76.80.199, 66.42.107.233
- [Domain] Phishing domains used for credential harvesting – box-okta.org, twilio-sso.com
Read more: https://blog.group-ib.com/0ktapus