Cybercriminal groups are advising their targets to avoid using Okta services for authentication, which Okta’s threat management team sees as a validation of their technology and a reminder of the importance of phishing-resistant authentication methods.
Okta’s identity management systems are often targeted by threat actors due to their role as a primary line of defense in many organizations. Notably, they were exploited by the Scattered Spider gang in the 2023 cyber heists on Las Vegas casinos.
This week, Okta’s VP of threat intelligence, Brett Winterford, uncovered a new social engineering campaign where cybercriminals instructed their targets to not use the Okta FastPass feature for signing in. FastPass is a feature in Okta’s Verify service that offers passwordless authentication through biometrics or device-based security.
Winterford explained, “This unusual instruction from cybercriminals highlights how they are adapting their tactics in response to the increased adoption of advanced, high-assurance sign-in methods.”
The phishing attacks observed by Okta involved convincing users to bypass the company’s security measures. The attackers utilized trusted instant messaging platforms like Slack to lure targeted users.
In one instance, the threat actor posed as a company CEO in a message titled ‘Happy Thursday & Congratulations,’ inviting the target to join an exclusive new Slack workspace. The message was a phishing attempt, leading the target to connect their Okta account via a link.
The cybercriminals claimed to have issues with Okta FastPass in the new Slack integration and instructed the target to enter their password directly at the link. The link directed users to phishing pages running an adversary-in-the-middle transparent proxy called Evilginx, allowing the threat actors to steal passwords and one-time passcodes.
Winterford emphasized the importance of offering phishing-resistant authentication methods to end-users, as attackers rely on vulnerabilities in sign-in methods to carry out their attacks.
He stated, “When administrators enforce phishing resistance in an authentication policy rule, users can only access protected resources using Okta FastPass, FIDO2-based authentication, or PIV Smart Cards. These methods prevent access if the request is routed through a transparent proxy, reducing the risk of falling for phishing attacks.”
Winterford concluded, “If all users are enrolled in phishing-resistant authenticators, a significant portion of the security work is already done.”
