Daily Tech News, Interviews, Reviews and Updates

Twilio hackers also broke into over 130 organizations in a huge phishing attack

In the same phishing attempt, hackers responsible for a number of recent hacks, including those on Twilio, MailChimp, Cloudflare, and Klaviyo, compromised over 130 firms.

The hackers used a phishing kit nicknamed ‘0ktapus’ to capture 9,931 login credentials, which they then exploited to gain access to business networks and systems using VPNs and other remote access devices.

The 0ktapus campaign, according to a Group-IB assessment, has been active since at least March 2022, with the goal of stealing Okta identity credentials and 2FA codes and using them to carry out further supply chain assaults.

These attacks were extremely successful, resulting in a slew of data breaches at Twilio, MailChimp, Cloudflare, and Klaviyo. Furthermore, these vulnerabilities resulted in supply-chain assaults on clients who used these services, including Signal and DigitalOcean.

The threat actors targeted firms in a variety of areas, including bitcoin, technology, banking, and recruiting, using the phishing domains generated in this campaign.

T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy are among the organizations targeted.

The 0ktapus’ many arms

The assault starts with an SMS message and a link to a phishing page that looks like an Okta login page, prompting victims to enter their account credentials and 2FA tokens.

Okta is an identity-as-a-service (IDaaS) platform that allows employees to access all software assets in their firm with a single login.

Using the keywords “OKTA,” “HELP,” “VPN,” and “SSO,” researchers uncovered 169 unique phishing domains supporting the 0ktapus campaign, as seen in the instances below.


These sites incorporate the target companies’ distinctive theming, so they appear exactly like the genuine portals that employees are used to seeing throughout their everyday login procedure.

When victims enter their credentials and two-factor authentication codes, the sites send them to a private Telegram channel where threat actors can collect them. These login credentials were then utilized by the hackers to obtain access to company VPNs, networks, and internal customer support systems in order to steal client data. As we witnessed with DigitalOcean and Signal, this customer data was subsequently utilized to launch additional supply-chain assaults.

According to the admissions of previous victims, threat actors frequently targeted data belonging to bitcoin companies. According to Group-IB, the threat actors stole 9,931 user credentials from 136 enterprises, 3,129 records with emails, and 5,441 records with MFA codes, with the majority of the affected organizations based in the United States.

Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More
You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More