Oktapus Phishing. PHOTO: Cybercrime Magazine.

After Stealing 9K+ User Credentials, 0ktapus’s Phishing Arms May Continue to Prowl

Weaponizing strategic domains, major risk

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Oct. 13, 2022

A massive phishing campaign impersonating identity management platform provider Okta resulted in the compromise of 9,931 user accounts. The stolen records contained the email addresses and multifactor authentication (MFA) codes of users belonging to more than 130 organizations, including Cloudflare and Twilio.

The tactic was simple — the threat actors sent victims text messages that contained phishing links. These links imitated the Okta authentication page, notably using strings like “sso,” “vpn,” “mfa,” and “okta.”

While only 173 domains were named as indicators of compromise (IoCs), we found more than 10,000 that contained similar strings added between June 1 and September 16, 2022. Are the threat actors behind 0ktapus still lurking behind fake authentication pages and domains?

Posing as Authentication Pages

A crucial element in the success of the simple phishing tactic could be the effort to make the domains and web pages look legitimate. That implies careful planning, beginning with the registration of strategic domain names (i.e., those incorporating “sso,” “vpn,” “mfa,” and “okta”).

The irony isn’t lost on us. The threat actors are exploiting solutions designed to protect users. But scouring the DNS for similarly formulated domain names can help alert the security community to campaigns like 0ktapus.

We uncovered 10,750 domains and subdomains possibly related to the malicious campaign using string-based discovery techniques. Since most of the IoCs were created in June, we limited our search to domains added between 1 June and 16 September 2022.

A summary of our IoC list expansion can be found in the table below, along with some sample IoCs and related artifacts.

Aside from domain names spoofing Okta authentication pages, researchers at Group-IB also tagged 56 IP addresses as IoCs. Reverse IP lookups for these IP addresses revealed they were most likely dedicated since only a few domains resolved to them.

As of September 16, 2022, we only found 108 domains connecting to these IP addresses, bringing the total 0ktapus artifacts to 10,858 digital properties.

Use of Major TLDs

While we know that domain weaponization is irrespective of top-level domain (TLD) used, we noticed that the 0ktapus IoCs mainly belonged to the .com, .org, and .net spaces. That could be another simple yet effective tactic that helped the domains successfully pose as legitimate pages. After all, the campaign’s target organizations mainly used these TLDs.

This finding supports Group-IB’s statement that the threat actors may be planning sophisticated supply chain attacks. In contrast, non-targeted and run-of-the-mill cyberattacks may be more inclined to primarily use cheaper or free TLDs, such as .tk and .ga.

Confirmed Phishing Domains Continue to Lure Victims

We ran these artifacts through a bulk malware check and found that 2.22 percent have been flagged malicious by different malware engines. Still, some reported domains continue to be active, hosting suspicious-looking pages.

The malicious DuckDNS subdomains 1-sso-nifty[.]duckdns[.]org and mail[.]wms-sso-biglobe[.]duckdns[.]org are some examples of currently active properties. They both host the same financial account login page shown below.

Website screenshots of 1-sso-nifty[.]duckdns[.]org and mail[.]wms-sso-biglobe[.]duckdns[.]org

Browser warning that appears when you try to visit mail[.]wms-sso-biglobe[.]duckdns[.]org

The researcher’s browser warned against visiting the web pages, which also happened with att-expired-4de4[.]att-expiredms1[.]workers[.]dev. This subdomain currently hosts an AT&T login page shown below.

Website screenshot of att-expired-4de4[.]att-expiredms1[.]workers[.]dev

Potential Phishing Domains Remain Unflagged

Expanding our screenshot lookup analysis to include the rest of the artifacts, we found that some may not be safe to access. Aside from parked domains and 404 pages, most of the domains hosted login pages. Some of the most suspicious ones appear to imitate AT&T.

Oktapus’s arms have compromised thousands of user credentials by weaponizing strategic domains. While the tactic is simple and age-old, it remains effective. WHOIS and DNS intelligence can help detect suspicious properties before threat actors can activate and use them in malicious campaigns. 

If you’re interested in the 0ktapus artifacts we discussed, feel free to contact us. We are also on the lookout for research collaborations.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds.  WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.