Thousands of login details compromised in a widespread phishing attack affecting Twilio and Mailchimp companies
In a recent announcement by Group-IB, a Singapore-based cybersecurity provider, a phishing campaign dubbed Oktapus has been revealed as the culprit behind the breaches at Twilio and Cloudflare. The group responsible for these attacks has not been explicitly named in the provided information, but the campaign has caused significant disruption, compromising more than 10,000 user credentials across 136 organisations since its inception in March.
The phishing attacks targeted 169 unique domains, primarily focusing on stealing Okta identity credentials and two-factor authentication codes. The phishing site mimicked a standard authentication page, requiring targets to enter their username and password. Upon entering the 2FA code, a remote administration tool named AnyDesk was downloaded to the victim's computer.
One of the breached customers was Twilio, whose compromise spread to 1,900 Signal users. Secure messaging platform Signal was caught in Twilio's compromise, making it one of the 125 breached customers. The fallout from Twilio's compromise also affected Mailchimp, causing a breach at DigitalOcean.
Interestingly, the threat actors behind the Oktapus campaign did not configure the phishing kit to target mobile devices, suggesting that they may be inexperienced. The majority of the victims are U.S.-based and provide IT, software development, or cloud services.
Despite the campaign stopping after gaining enough media attention, the real extent of the attacks and the number of organisations compromised remains unknown. Roberto Martinez, Sr. threat intelligence analyst at Group-IB Europe, stated that many breaches may not have been publicly reported, potentially extending the duration of the campaign.
It is crucial to note that if the attacks had sent phishing emails instead, victims could have downloaded the remote administration tools to their computers, potentially allowing for social engineering and control over their computers. Okta did not respond to requests for comment.
As the cybersecurity landscape continues to evolve, it is essential for organisations to remain vigilant and proactive in protecting their user data. The Oktapus campaign serves as a stark reminder of the threats that exist and the importance of robust security measures.
