Okta warns that custom vishing phishing kits sold βas a serviceβ are being used in active attacks to steal Okta SSO credentials and gain access to integrated enterprise platforms. These adversary-in-the-middle platforms enable live caller interaction to manipulate authentication flows, intercept MFA (including TOTPs and push prompts), and facilitate data theft and extortion linked to groups like ShinyHunters. #Okta #ShinyHunters
Keypoints
- Custom voice-based phishing kits are being sold as a service and used to steal Okta SSO credentials.
- These kits act as adversary-in-the-middle platforms that allow live caller interaction and real-time page updates.
- Attackers relay credentials and TOTPs to backends (often via Telegram) to complete logins and bypass MFA.
- Threat actors perform reconnaissance and use spoofed corporate/helpdesk numbers to target employees with company-branded phishing sites.
- Okta recommends phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys to mitigate the threat.