Tag: Okta

  • The Browser Puppeteer: New Vishing Kits Hijack Sessions in Real-Time

    Social engineering offensives are undergoing a sophisticated metamorphosis—adversaries now amalgamate telephonic directives with dynamic phishing kits that facilitate the real-time manipulation of a victim’s web session. According to an expose by Okta Threat Intelligence, these emerging “Phishing-as-a-Service” instruments are being aggressively deployed against users of Google, Microsoft, Okta, and various cryptocurrency ecosystems.

    The hallmark of these solutions is their fluid adaptation to the cadence of the conversation. While one perpetrator entices the victim through verbal persuasion, a second operative surreptitiously orchestrates the content of the victim’s browser. This synchronized orchestration of vocal instructions and visual cues significantly bolsters the illusion of legitimacy, particularly during the critical juncture of Multi-Factor Authentication (MFA).

    These kits are engineered to exfiltrate credentials while simultaneously projecting interfaces that flawlessly mirror official portals. By instantaneously recalibrating the phishing site to reflect the actual authentication state of the attacker—who is concurrently attempting to access the genuine resource—the charade becomes hauntingly plausible to the unsuspecting user.

    The tactical sequence commences with rigorous reconnaissance to identify the target’s enterprise applications and support protocols. Subsequently, the adversary configures a bespoke phishing page and initiates a call using a spoofed corporate identity. The victim is then coerced into navigating to the fraudulent site and surrendering their primary credentials.

    This telemetry is instantly relayed to a clandestine channel where the secondary operative utilizes it. Depending on the specific MFA challenge triggered, the phishing interface updates with surgical precision, prompting the user to approve a push notification or enter a secondary code. Such deceptive synergy makes the stratagem remarkably persuasive.

    Specialists emphasize that even robust MFA methods, such as number matching in push notifications, are not infallible, as the attacker simply directs the victim to select the requisite digit. Conversely, hardware-bound solutions like Okta FastPass or FIDO2 security keys remain resilient against these maneuvers. There is a burgeoning trend toward hyper-specialization, where phishing panels are architected for specific services rather than broad utility. Furthermore, the commoditization of vocal deception has reached a zenith, with access to professional “operators” now available for purchase on illicit marketplaces.

    To fortify defenses, organizations are urged to transition toward phishing-resistant authentication protocols. Within the Okta environment, the deployment of multifaceted security layers is recommended, alongside the implementation of network-aware access policies and the exclusion of known anonymizers. Some financial institutions have pioneered “call verification” features within their mobile applications, allowing users to authenticate the identity of a purported representative in real-time.

    According to Okta, this paradigm is rapidly evolving and has already manifested in live incursions. The corporation’s advisories, disseminated in April 2025 and January 2026, provide comprehensive technical forensic markers and strategic recommendations for remediation.

  • The Voice of Scattered Spider: How a Teen “Caller” Caused Millions in Damages

    The story of Noah Urban is one of the clearest illustrations of how teenage socializing and a simple phone call can transform into an instrument of cybercrime. According to an investigation drawing on Discord and Telegram chats, court documents, and countless interviews with sources, Urban served as a “caller” within the Scattered Spider group (also known as 0ktapus, UNC3944).

    Urban possessed few technical skills — his weapon was his voice, his manner, and his confident improvisation. The caller’s task was to talk people into opening doors to their companies’ internal systems, paving the way for data theft, account takeovers, and extortion. Investigators and analysts emphasize that this role provided the group with the access it needed to strike telecom and tech firms, and eventually far larger targets.

    Born in Florida in 2004, Urban did not write exploits or perform reverse engineering — instead, he quickly mastered SIM swapping and social engineering. Following scripts gleaned from Minecraft chats and underground channels, he would call mobile carriers, pose as support staff, and secure accounts and remote access to internal tools. Within weeks he was making thousands of dollars. The thrill grew, along with his network of peers in the so-called “Com” — teenage Discord and Telegram communities trading in “rare” usernames, crypto assets, and stolen recovery codes.

    By 2022, Urban and his partners had moved from small-scale takeovers to supplier-level attacks. That summer, the group deployed a phishing clone of Okta’s login page and sent it to Twilio employees. One compromised account was enough to slip into Slack and coax a higher-level colleague into handing over client verification codes. In total, data from 209 organizations leaked from Twilio — from SMS verification codes to corporate accounts. The campaign became known as 0ktapus. Later, the same tactics were used against Riot Games: attackers stole the source code of League of Legends and its anti-cheat tools, demanding payment for their “return.” Riot refused.

    As the schemes matured, Scattered Spider was increasingly tied to severe incidents in the U.S. and the U.K. In 2023, MGM Resorts estimated $100 million in losses from downtime and recovery; retailer Marks & Spencer reported potential damages of around $400 million. Investigators also noted collaboration with foreign extortionists, escalating pressure on victims, and even intimidation of employees’ families. CISA labeled the group a “serious and persistent threat,” while Mandiant described it as among the most aggressive.

    The FBI had been monitoring Urban since at least 2021. In March 2023, federal agents raided his Florida home, seizing roughly $4 million in cryptocurrency, $100,000 in cash, luxury watches, and electronics. Urban himself estimated that tens of millions had been funneled through exchanges and gambling sites. In spring 2024, he was arrested and charged in connection with incidents affecting 13 companies, including telecom and tech firms. By April he pled guilty to fraud and identity theft, and on August 20, 2025, he was sentenced to 10 years in prison and ordered to pay $13.4 million in restitution.

    The Urban case demonstrates that a convincing voice, a polished script, and relentless persistence can be enough to breach defenses. A trusted intermediary platform serving thousands becomes a launchpad, and a teenager’s “game of calls” escalates into a chain of attacks causing multimillion-dollar damages. Today, law enforcement bulletins list extortion alongside kidnappings and arson sparked by feuds within online youth gangs. And as long as soft skills outweigh code, and recruitment flows through gaming and music communities, this threat will persist — from a casual “hello” on the phone to disabled systems on the Las Vegas Strip.

  • The Alliance of Chaos: How ShinyHunters and Scattered Spider Merged to Target Salesforce

    The hacker groups ShinyHunters and Scattered Spider, once operating independently, now appear to have joined forces in a coordinated campaign to extort data from Salesforce’s corporate clients. As noted by ReliaQuest, ShinyHunters has undergone a sharp tactical shift—from their traditional credential theft and database breaches to more sophisticated social engineering, including targeted vishing and the distribution of malicious applications disguised as legitimate tools.

    A key element of these attacks involves counterfeit Okta login pages, crafted to mirror the genuine interface, which are used to lure victims into entering their credentials under the pretext of resolving a “technical issue” during a phone call. The attackers also make extensive use of VPNs to obfuscate their exfiltration channels.

    Operating since 2020, ShinyHunters has built a reputation for high-profile breaches and active participation on underground forums such as RaidForums and BreachForums. The name has been linked not only to one of the largest data sellers on these platforms but also to their administration—most notably during the launches of BreachForums v2 (June 2023) and v4 (June 2025). The mysterious disappearance of v3 in April 2025 remains unexplained.

    Following a brief return, BreachForums went permanently offline around June 9, 2025. Meanwhile, global attacks on Salesforce instances—tracked by Google under the codename UNC6240—have emerged, sharing common extortion indicators.

    Almost concurrently with the forum’s disappearance, French authorities arrested four individuals suspected of managing BreachForums, allegedly including ShinyHunters. However, in a statement to DataBreaches.net, the actor claimed that “France rushed the arrests,” suggesting that only an associate may have been apprehended.

    Shortly thereafter, on August 8, a new Telegram channel called scattered lapsu$ hunters appeared, prominently featuring the names ShinyHunters, Scattered Spider, and LAPSUS$. Members announced plans for their own ransomware-as-a-service (RaaS) offering—dubbed ShinySp1d3r—which they claimed could rival LockBit and DragonForce. Yet, within three days, Telegram administrators had blocked and removed the channel.

    Both Scattered Spider and LAPSUS$ are tied to a broader cybercriminal network known as The Com—an English-speaking collective infamous for SIM-swapping, extortion, and even real-world crimes. According to FalconFeeds, the rebranding under Scattered LAPSUS$ Hunters marks a transition into a new phase of digital racketeering, where influence and notoriety matter as much as financial gain.

    ReliaQuest also identified a series of ticket-themed phishing domains deploying counterfeit Salesforce login pages—signs of an impending new wave of attacks on major corporations. These domains are typically hosted on phishing-kit infrastructure that mimics SSO platforms, particularly Okta—a favored method of Scattered Spider.

    An analysis of more than 700 domains registered in 2025 that match Scattered Spider’s attack patterns revealed an increased focus on the financial sector: phishing infrastructure targeting banks and insurers rose by 12% since July, while interest in tech companies fell by 5%.

    The investigation highlights shared targets (retail, insurance, aviation) and overlaps in infrastructure—notably in domain templates. Investigators also discovered a BreachForums user named Sp1d3rHunters, previously linked to a ShinyHunters breach. The account, created in May 2024, suggests the groups may have been collaborating for at least a year.

    In a recent announcement, ShinyHunters declared that BreachForums is now fully under the control of international law enforcement. The actor claimed, “The platform is now operated by French police BL2C in coordination with the U.S. Department of Justice and the FBI,” and warned that the accounts “Hollow” and “ShinyHunters” have been compromised, while the “N/A” profile is controlled by an agent.

    In closing, they cautioned that if BreachForums ever comes back online, it should be regarded as a honeypot run by global intelligence agencies—and avoided at all costs.

  • Paradox.ai Data Breach: “123456” Password & Nexus Stealer Expose Fortune 500 Clients

    A recent data breach has exposed a critical vulnerability in the systems of Paradox.ai, the developer behind AI-powered chatbots used in recruitment processes at McDonald’s and other Fortune 500 corporations. The cause of this widespread leak? A painfully simple mistake—a password so weak it bordered on the absurd.

    The saga began when security researchers Ian Carroll and Sam Curry gained access to the backend of McHire.com, a platform that utilizes Paradox.ai’s “Olivia” chatbot to process job applications. Their entry point was a dormant test account protected by the infamous password “123456.” This flimsy credential opened the door to a trove of 64 million records, including names, phone numbers, and email addresses of job seekers.

    Paradox acknowledged the legitimacy of the test account, claiming it had been inactive since 2019 and was slated for deletion. The company asserted that only the researchers had accessed the system and emphasized that the exposed data involved only chatbot interactions, not actual job applications.

    But the crisis didn’t end there. An independent analysis of leaked password data revealed that in June 2025, a device belonging to a Vietnamese employee of Paradox was infected with the Nexus Stealer malware. This malicious software specializes in pilfering credentials and authentication data, including cookies and manually entered logins. Once compromised, the employee’s data was made publicly accessible and indexed by breach-tracking services.

    The stolen credentials included hundreds of trivial, repetitive passwords—many differing only in their final characters. Alarmingly, some were used to access client systems for major corporations like Aramark, Lockheed Martin, Lowe’s, and Pepsi. One such password, a mere seven-digit number, was reused across multiple enterprise systems—easily crackable in seconds with modern brute-force tools.

    Particularly troubling is the fact that the breach included logins to the single sign-on platform paradoxai.okta.com, in use since 2020 and equipped with two-factor authentication. While Paradox maintains that most compromised passwords are now obsolete, some still provided access to critical systems such as Okta and Atlassian—whose authentication tokens were valid until December 2025.

    Beyond credentials, the breach exposed session cookies, potentially enabling attackers to bypass multifactor authentication altogether. In several instances, malware also installed backdoors, allowing persistent remote access. One such compromised device—belonging to a Paradox developer in Vietnam—was later found listed for sale online.

    Paradox insists the incident did not impact other customer accounts and claims that security protocols for contractors have been significantly tightened since a 2019 audit. Yet this raises uncomfortable questions: how did an account secured with “123456” survive an audit in a company certified to ISO 27001 and SOC 2 Type II standards? The company explained that in 2019, external contractors were not held to the same security standards as internal staff.

    Further investigation revealed that another Vietnamese employee was infected with similar malware in late 2024. Among the stolen data were GitHub credentials and browser histories suggesting the infection likely occurred through pirated movie downloads—a common infection vector masked as codec installations.

    This episode serves as a stark reminder of the fragility of corporate cybersecurity—even within firms that claim rigorous adherence to industry standards. One forgotten test account and one compromised laptop were all it took to potentially jeopardize the data of numerous global enterprises.

  • Cloud Breached: Nation-State Hacker Infiltrates Cloudflare’s Code

    Cloudflare recently unveiled details of an incident in which state-sponsored spies are believed to have gained access to Atlassian’s internal system using credentials stolen during a security breach at Okta in October.

    According to Cloudflare, the breach within Atlassian’s system was detected on November 23, 2023, and by the following day, the intruders had been expelled from the system. Company representatives stated that the attack aimed to secure persistent access to Cloudflare’s global network.

    During the Okta security breach in October, which affected over 130 clients, attackers stole data to further compromise organizations. Cloudflare, which utilizes Okta as an identity provider integrated with Cloudflare Access to ensure secure user access to internal resources, also suffered from the attack.

    Cloudflare Breached

    Cloudflare’s leadership reported that the spies sought information on remote access, secrets, and tokens, and showed interest in 36 Jira tickets out of more than 2 million. These tickets related to vulnerability management, secret turnover, bypassing multifactor authentication, network access, and even the business response to the Okta incident.

    Cloudflare stated that hackers obtained one service token and three sets of service account credentials through the Okta compromise in 2023. Initially, Okta claimed the stolen information was relatively harmless and could be used for phishing or social engineering. However, it turned out that among the stolen data were session tokens that allowed access to the networks of companies like Cloudflare.

    The attackers used the stolen data to access Cloudflare systems, including an internal wiki based on Confluence and a Jira bug database, from November 14 to 17, 2023. Further accesses were detected on November 20 and 21, after which the cybercriminals established a permanent presence on the Atlassian server via ScriptRunner for Jira.

    The spies’ interest in secrets and tokens is also evidenced by their review of 120 code repositories in Bitbucket out of nearly 12,000. The repositories were primarily related to backup principles, configuration, global network management, identification, remote access, as well as Terraform and Kubernetes. According to the CDN company, some contained encrypted secrets, which were immediately replaced, though they were securely encrypted.

    The attack was repelled on November 24, 2023, after which the company began assessing the damage and investigating the incident. As part of the enhanced security measures, Crowdstrike was engaged for an independent assessment.

    Cloudflare takes the incident seriously, despite the limited operational impact, and is committed to managing credentials, enhancing software security, and improving the alert system. The “Code Red” project, aimed at mitigating the breach’s aftermath, concluded on January 5, 2024, but efforts to enhance security within the company continue.