Threat Research

Surge in Targeted Phishing Linked to ‘The Com’

Cyware

SMS-based phishing (smishing) campaigns in 2024 by a group known as The Com have increasingly impersonated Okta SSO/IAM pages to harvest employee credentials and MFA codes. These operations use reusable phishing kits, unique resource identifiers, and rented VPS/registrar services to scale attacks across sectors. #TheCom #Okta

Keypoints

  • Smishing campaigns in 2024 impersonate Okta-based SSO/IAM portals to collect credentials and MFA codes.
  • Adversaries used phishing kits that pulled resources (including Okta Sign-In Widget JS and logotypes) from legitimate sites to make pages convincing.
  • Investigators identified 35 new phishing sites (Jan 1–Feb 10, 2024) and 97 unique phishing domains from Oct 2023–Feb 2024, following naming conventions like appending “-hr”, “-sso”.
  • Phishing forms POST credentials to server-side scripts, then redirect victims to a /factor.html page to harvest MFA verification codes.
  • Operators rented VPS and hosting (AS-Choopa, Vultr, DigitalOcean, BLNWX, Unified Layer) and registered domains via registrars (Hosting Concepts BV, Namecheap, Hostinger).
  • Delivery favored SMS lures sent after work hours (Thursdays/Fridays) with HR-themed messages to increase click-through rates.
  • Detection and mitigation recommendations include URL analysis, user behavior baselining, MFA hardening, and least privilege account management.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – Adversaries registered numerous phishing domains impersonating target organizations to host pages. (‘Our researchers identified 97 unique phishing domains created from October 2023 to February 2024 that hosted phishing pages…’)
  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Attackers rented VPS services to host phishing infrastructure. (‘Adversaries very likely rented VPS infrastructure from Vultr, Namecheap, DigitalOcean, BLNWX and Unified Layer to host the phishing infrastructure.’)
  • [T1588.002] Obtain Capabilities: Tool – Threat actors obtained phishing kits tailored to mimic Okta portals. (‘Adversaries obtained phishing kits to impersonate the Okta portal of targeted organizations.’)
  • [T1566] Phishing – Campaigns used SMS links to specially crafted pages that impersonate Okta sign-in portals for initial access. (‘Adversaries leveraged specially crafted phishing pages designed to impersonate the Okta login portal of business partners or targeted organizations.’)
  • [T1078] Valid Accounts – Phishing pages harvested employee credentials and session data to obtain valid access. (‘The phishing campaigns targeted employees to harvest login credentials and MFA codes.’)
  • [T1199] Trusted Relationship – Attackers exploited trust relationships between organizations to increase lure credibility. (‘Adversaries gained access by exploiting the established trust relationship between two distinct organizations.’)
  • [T1621] Multi-Factor Authentication Request Generation – Pages and flows were designed to capture MFA verification codes via a secondary factor collection page. (‘Adversaries attempted to harvest MFA codes from victim employees.’)

Indicators of Compromise

  • [Domain] phishing domain naming patterns – examples: domains appending “-hr” and “-sso” (each accounted for ~37% of registrations), and 97 total phishing domains observed.
  • [URL path] MFA collection endpoint – example: https://[BRAND][LURE]/factor.html used to harvest verification codes.
  • [HTML/Form] form fields and POST endpoints – example: form labels/fields such as “okta-signin-username” and form actions that POST credentials to server-side scripts.
  • [Infrastructure] hosting and registrar services used – examples: AS-Choopa (hosting), Vultr and DigitalOcean (VPS), and Hosting Concepts BV and Namecheap (domain registration).

Attackers constructed phishing sites by assembling kits that incorporated legitimate Okta assets (sign-in widget JS and brand logotypes) to closely mirror real SSO/IAM pages. The sign-in HTML contained a form whose action attribute pointed to a server-side script; when users submitted credentials the page sent the data via HTTP POST. After credential capture, victims were directed to a secondary page (commonly /factor.html) that solicited Okta verification/MFA codes and submitted them via another POST request, enabling harvesting of both passwords and one-time codes.

Investigators linked pages using unique resource identifiers and the Okta Sign-In Widget to pivot across domains, identifying patterns in naming (frequent use of “-hr” and “-sso”) and repeated JS artifacts that tied multiple phishing sites to the same kit. Operators hosted sites on rented VPS infrastructure (AS-Choopa, Vultr, DigitalOcean, BLNWX, Unified Layer) and registered domains through registrars including Hosting Concepts BV and Namecheap, enabling rapid deployment and scale.

Delivery was primarily via SMS lures timed after business hours (notably Thursdays/Fridays) with HR-themed messaging to increase plausibility. Detection should focus on URL inspection, anomalous form POST endpoints, and resource pivots (shared JS or unique identifiers). Mitigations include stricter URL and form validation, MFA hardening (and monitoring for MFA interception patterns), and limiting account privileges to reduce impact from harvested credentials.

Read more: https://intel471.com/blog/targeted-phishing-linked-to-the-com-surges

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint