With the recent surge in awareness about how important MFA is to protect sensitive credentials, phishers have moved their efforts to steal 1-time passwords. Threat actors are now using bots to automate 1-time password thefts at scale. Phishers combine social engineering and vishing to steal victims’ OTPs.
What is a 1-time password?
A 1-time password is a numeric or alphanumeric string generated when a user requests it through some services. These single-use passwords authenticate a person for a single transaction or login session. Usually, microservices and apps leverage 1-time passwords to enable multi-factor authentication. These passcodes have a fixed life term and expire soon after use.
The Okta phishing attack incident
Attacks on companies using the identity managing tool Okta began in mid-June 2022. The attackers targeted several companies’ staff with SMS phishing, asking them to log in to a phishing page mimicking their employer's Okta authentication page. Upon submitting their credentials, the hackers prompted them to provide their 1-time password for multi-factor authentication.
The attackers use newly registered domains that often include the company’s name to make the pages look legitimate. According to Kerbs on Security's report, "The attackers urge the employees to click on links to these domains to view information about a pending change in their work schedule."
A group of security researchers at Singapore-based Group-IB first reported this attack. They named the campaign 0ktapus as the hackers attacked companies using Okta’s tools.
How the 1-time password phishing attack leverages Telegram?
Scammers leverage Telegram's instant message bot to pass credentials in real-time. It allows scammers to use phished usernames, email IDs, PINs, and OTPs to log into the employee's account through the actual website.
The attacks were successful because of the way the attackers configured the Telegram bot. Writing for their official blog, Group-IB said, "This case is of interest because despite using low-skill methods, it was able to compromise a large number of well-known organizations." The group added, "Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack got planned carefully in advance."
The Telegram bot's data helped the researchers realize that attackers had generated nearly 10,000 replies in almost two months of irregular SMS phishing attacks. This phishing campaign for extracting 1-time passwords targeted hundreds of companies, making 1-time passwords a corporate liability. Employees of well-known companies like Cloudflare, DoorDash, Signal, T-Mobile, Twilio, and others have become the target of this campaign.
Cloudflare CEO Matthew Prince said, "This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began on 2022-07-20 at 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to employees’ family members."
In an incident report, Twilio disclosed a social engineering attack on its staff for 1-time password on August 4. Mailchimp, on August 12, revealed that attackers accessed its employee accounts, stealing data of 214 users involved in finance and cryptocurrency.
Companies should embrace using biometric authentication as multi-factor authentication rather than OTPs. Biometric authentications like fingerprint, retina, and face scans are real-time, and attackers cannot transmit the information through such attack techniques.
Enterprises can also leverage modern authentication security postures like Risk-based Authentication (RBA) or adaptive authentication techniques. These will dynamically check the authentication techniques and other factors like web browsers, geolocation, IP address, and behavioural patterns.
Users should also avoid clicking on links received from unknown sources and report any such activity to their company's security teams. Training employees on cybersecurity best practices can also help organizations in avoiding such attacks.
When scammers target corporate employees' 1-time passwords to access sensitive corporate accounts, OTPs become a corporate liability. Taking some of the steps above can help protect your organization from this type of threat.