Cybersecurity

Cyber: Okta Sso Accounts Targeted In Vishing-based Data Theft Attacks

2026-01-22 0 views admin
Cyber: Okta Sso Accounts Targeted In Vishing-based Data Theft Attacks

Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft.

In a new report released today by Okta, researchers explain that the phishing kits are sold as part of an "as a service" model and are actively being used by multiple hacking groups to target identity providers, including Google, Microsoft, and Okta, and cryptocurrency platforms.

Unlike typical static phishing pages, these adversary-in-the-middle platforms are designed for live interaction via voice calls, allowing attackers to change content and display dialogs in real time as a call progresses.

The core features of these phishing kits are real-time manipulation of targets through scripts that give the caller direct control over the victim's authentication process.

As the victim enters credentials into the phishing page, those credentials are forwarded to the attacker, who then attempts to log in to the service while still on the call.

When the service responds with an MFA challenge, such as a push notification or OTP, the attacker can select a new dialog that instantly updates the phishing page to match what the victim sees when attempting to log in. This synchronization makes fraudulent MFA requests appear legitimate.

Okta says these attacks are highly planned, with threat actors performing reconnaissance on a targeted employee, including which applications they use and the phone numbers associated with their company's IT support.

They then create customized phishing pages and call the victim using spoofed corporate or helpdesk numbers. When the victim enters their username and password on the phishing site, those credentials are relayed to the attacker's backend, commonly to Telegram channels operated by the threat actors.

This allows the attackers to immediately trigger real authentication attempts that display MFA challenges. While the threat actors are still on the phone with their target, they can direct the person to enter their MFA TOTP codes on the phishing site, which are then intercepted and used to log in to their accounts.

Okta says these platforms can bypass modern push-based MFA, including number matching, because attackers tell victims which number to select. At the same time, the phishing kit C2 causes the website to display a matching prompt in the browser.

Source: BleepingComputer

🏷️ Tags

hackattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views