Summary:
Keypoints:
MITRE Techniques
-
Phishing is a commonly observed technique used by threat actors to gain illicit access to identities, including cloud identities.
-
In this blog post, we will outline several techniques for investigating phishing campaigns by pivoting between phishing landing pages.
-
We will examine 0ktapus as a case study, showcasing how we applied some of these methods and the results we obtained.
-
These techniques are valuable for surfacing phishing campaigns 0ktapus may operate in the future, and for analyzing the phishing infrastructure of many other threat actors.
Some of the most commonly observed techniques employed by cloud-fluent threat actors to compromise cloud environments are based on exploiting identities. One primary method that threat actors rely on to acquire identities is phishing, which has led to increasingly sophisticated and widespread phishing attacks. In this post, we will explore several methods for identifying phishing infrastructure, with a primary focus on one notorious example: 0ktapus.
One of the challenges of discussing 0ktapus is accurately attributing specific activities to this threat actor as opposed to other semi-related actors. In this blog, however, to simplify this, we will refer to the entire phishing mechanism described targeting help desk sites, identity providers, and login pages as activity pertaining to 0ktapus, while keeping this disclaimer in mind.
0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) is a financially motivated threat actor active since 2022, that has successfully targeted many of its victims’ cloud environments. This actor often focuses their initial access efforts on IT service desk workers and administrators to steal data, deploy ransomware, and extort their victims.
0ktapus is known for employing a myriad of social engineering techniques – ranging from simple techniques such as smishing (SMS phishing), vishing (voice phishing), and usage of phishing landing pages, to more sophisticated methods such as MFA fatigue and SIM hijacking. Since 0ktapus relies heavily on social engineering to obtain initial access to their victims, we decided to take one of their latest phishing campaigns as a use case.
While some of the methods described in this blogpost have been previously detailed in past reports, including from GroupIB, TLP_R3D, EclecticIQ, Validin, SilentPush, Mandiant and others, we believe there is significant value in compiling all these methods into one comprehensive framework, as well as leveraging it to reveal additional aspects of this threat actor’s past (and perhaps future) activity. We will therefore outline several useful techniques for detecting both known and previously unknown phishing domains linked to 0ktapus and highlight additional methods that can be useful for detecting phishing domains in general.
0ktapus regularly sets up new phishing landing pages mimicking legitimate login pages owned by their target organizations. They then refer potential victims to these websites as part of their ongoing phishing campaigns, with the goal of tricking their targets into entering their credentials, which are collected by 0ktapus and abused to gain initial access to target organizations’ networks.
For the sake of clarity and organization, we have compiled a summary of the different Document Object Model (DOM) templates used by 0ktapus over the past two years in their various phishing campaigns, and have assigned them (arbitrary) identifiers. Each DOM template showcases a unique structure and functionality, presumably as a result of the threat actor utilizing different phishing kits to generate their phishing landing pages.
This list should not be viewed as entirely comprehensive; there are likely additional previously published domains using additional DOM templates, and we were not always able to uniquely identify which domains were generated by previously reported phishing kits (such as templates generated by EIGHTBAIT). However, we believe this last can serve as a useful starting point when hunting for 0ktapus phishing domains.
DOM Template A
-
Unique Characteristics:
/bundles/modernizr
+/WebResource.axd, /Scripts/jquery-2.2.3.min.js
+ Page title is: “CMS Dashboard Login” + error in height tag + dynamic placeholder attribute (for example –Email or Username
,Username
,Username or Email
,someone@bt.com
,SSO ID
etc. See full list of observed values in the IOCs table. (example query) -
Domain Example:
revolut-ticket[.]com
-
References: This is the most common template observed in recent months, with domains using it reported by EclecticIQ and Cyber Resilience, among others.
-
Activity Period: May ‘23 – Today
DOM Template B
-
Unique Characteristics: Hidden link to
https://n[redacted].okta[.]com
+ POST victim credentials tof[redacted].php
, while redirecting victim tofactor.html
/ 2FA + form information is submitted tofactor.php
(example query) -
Domain Example:
gemini-sso[.]com
-
References: This template has been extensively studied previously , and reported on by TLP_R3D
-
Activity Period: Nov ‘23 – Today
DOM Template C
-
Unique Characteristics: image tag with keyword
_nuxt
(example query) -
Domain Example:
att-mfa[.]com
-
References: This template was first reported by Group-IB
-
Activity Period: Jul ‘22 – Apr ‘24
DOM Template D
-
Unique Characteristics:
Poll.js
+init.js
+${credential}:${password}
(example query) -
Domain Example:
stargate-okta[.]com
-
References: Domains using this DOM template were reported by TLP_R3D
-
Activity Period: Sep ‘24 – Today
DOM Template E
-
Unique Characteristics: POST to
/login/email
or/login/identifier
+htmx.min.js
+email
+ttl
(example query) -
Domain Example:
dashboard-mailgun[.]com
-
References: Wiz Research surfaced this template by examining domain registrations linked to common nameservers known to be used by 0ktapus.
-
Activity Period: Oct ‘24
DOM Template F
-
Unique Characteristics: Sha256 hash of DOM –
fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1
(example query) -
Domain Example:
mgmresorts-okta[.]com
-
References: The domain using this template was reported by Sekoia.
-
Activity Period: Aug ‘22
DOM Template G
-
Unique Characteristics: Sha256 hash of DOM –
95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b
(example query) -
Domain Example:
calendar-dd[.]com
-
References: Wiz Research surfaced a domain using this template by pivoting on hashes associated with several of 0ktapus’s other known phishing domains.
-
Activity Period: Sep ‘22
DOM Template H
-
Unique Characteristics: POST victim data to
../tmo/data/login.php
(example query) -
Domain Example:
t-mobile-okta[.]com
-
References: A domain using this template was reported by SilentPush.
-
Activity Period: Sep ‘23
DOM Template I
-
Unique Characteristics: Images and fonts encoded with base64 (example query)
-
Domain Example:
intercom-okta[.]com
-
References: A domain using this template was reported by TLP_R3D.
-
Activity Period: Nov ‘23 – Apr ‘24
DOM Template J
-
Unique Characteristics:
authorization.php
with SHA256 hash –69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966
+ POSTing victim response tofiles/common.php
(example query) -
Domain Example:
klav-workday[.]com
-
References: Wiz Research was able to surface this template by pivoting on an image replicated from a legitimate site and used by 0ktapus on a known phishing domain.
-
Activity Period: Mar’23
DOM Template K
-
Unique Characteristics:
index-CDmh8I23.js
+index-aNURsHR-.css
(example query) -
Domain Example:
grid-review[.]com
-
References: Wiz Research surfaced this template by pivoting on scripts used by 0ktapus on several known phishing domains.
-
Activity Period: Sep’24
DOM Template L
-
Unique Characteristics: Sha256 hash of DOM –
98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61
(example query) -
Domain Example:
rejectauth-sendgrid[.]com
-
References: Wiz Research surfaced this template by pivoting on scripts used by 0ktapus on several known phishing domains.
-
Activity Period: Aug’24 – Today
In the next section, we will primarily focus on phishing landing pages using template A. We attribute using this template to 0ktapus based on recent reports linking domains using it to this threat actor.
However, it’s important to recognize that other malicious groups may also be using the same phishing kits as 0ktapus in parallel, which means that while we can easily cluster similar domains together, not every cluster can be definitively tied to 0ktapus. Moreover, a single cluster of domains might reflect activity by multiple groups (each using the same kit), so our confidence in attributing a specific domain to 0ktapus depends on various factors, including the identity of the victim, the ASN andor domain registrar, and the resources integrated within the page, among others.
The diagram below summarizes methods we can use when hunting for phishing domains and pivoting between known and unknown domains. These methods can be divided into three types: application fingerprinting, network profiling, and domain registration analysis. Each of these methods can be employed using various threat hunting platforms, including VirusTotal, URLScan, Censys and others.
To demonstrate each of these techniques, we will review a recent phishing campaign operated by 0ktapus as a case study. A summary of the characteristics of this campaign can be found in the following diagram:
Application fingerprinting
When examining a phishing landing page, the content of the page itself can reveal indicators of its malicious intent. For instance, analyzing the HTML code tags may expose harmful embedded scripts, such as those found in the calendar-dd[.]com phishing domain. These are often unique enough to leverage in scans for other phishing pages utilizing the same scripts or script names. Additionally, in some cases the DOM template may incorporate legitimate and common scripts that aren’t unique to a specific campaign – indeed, querying for these scripts in URLScan would surface thousands of unrelated results – but the specific set of scripts may very well be unique.
Additionally, beyond examining the embedded code itself, there are other methods we can use to detect unknown phishing pages and pivot from known pages to unknown pages in the course of our research.
Replicated Assets
Each phishing page created by 0ktapus is tailored to a specific target organization. On the one hand, this caused the hash of each page to vary depending on the victim, making HTML-hash-based pivoting quite challenging unless fuzzy hashing is employed. On the other hand, this also means that when 0ktapus attempts to fully replicate the visual appearance of the login pages of their victims, they often end up incorporating images or CSS scripts directly sourced from the victims’ legitimate websites.
For example, when examining a past phishing page hosted at nike-support[.]com, we discovered an iframe.html file that included the following resource:
./discoveryIframe-82e613074a3700abe11a.min.js.download
A comparison with the original domain, nike.okta[.]com, suggests that the attackers simply downloaded this JavaScript file from the legitimate site, as the original domain also contained an iframe.html file, with a resource called:
/lib/discoveryIframe-82e613074a3700abe11a.min.js
The fact that threat actors like 0ktapus replicate assets from an original domain can be a useful strategy for identifying new unknown phishing domains. For instance, when examining DoorDash, reported as one of 0ktapus’s targets, we can easily locate their legitimate Okta domain – doordash.okta.com. By checking the hashes of files associated with this domain, we can identify one hash linked to fewer than 10 other domains, that belongs to an image of the company’s logo, originally called fs0j3qtrrcYDqTZYW0x7.png
(generally speaking, when looking for malicious infrastructure, queries that return relatively few results are a good sign you’re on the right path):
dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727
This hash is indeed associated with several phishing domains mimicking DoorDash websites and using the image as a logo (renamed to logo.png
), including:
okta-verify[.]com, account[.]kemper-support[.]com, login[.]doordash-support[.]com, www[.]dashsso[.]com, calendar-dd[.]com.
Attribution Challenges
Using application fingerprinting can be a powerful technique, but it also has the potential to complicate attribution. For instance, during our research we pivoted from one known 0ktapus-operated phishing domain to other phishing domains based on an image they sourced from an original legitimate website – uscellular[.]com. This image was hosted on a second phishing website which later hosts the logo of another target (a different company); this mistake on the threat actor’s part occurred across multiple websites, thereby allowing us to identify additional landing pages, as shown in the following diagram:
While this process led us to successfully uncover many phishing pages, it is possible that they are not all operated by 0ktapus. This can be explained by the fact that multiple actors can access and use the same (public) image, making it challenging to pinpoint who is behind each specific attempt.
However, in this specific case, we utilized a variety of parameters, such as the domain registrar, ASN, domain name convention, and the DOM template of the phishing pages, to determine whether each of the domains we identified was indeed associated with 0ktapus, based on the characteristics of the threat actor’s previously known infrastructure.
Unique characteristics
As mentioned above, many threat actors use a variety of development kits to deploy their phishing sites, resulting in a similar structure across the different phishing landing pages they operate. As reported by EclecticIQ, GroupIB and others, over the past few years, 0ktapus have been observed using multiple toolkits for setting up their phishing infrastructure. By examining 0ktapus’ newly registered phishing domains, we can reveal several distinctive characteristics unique to one of the DOM templates utilized by this threat actor (“A” in the table above), which are almost certainly artifacts of the specific kit they chose to use for this purpose:
-
The image tags of websites using this DOM template often contain a syntax error in the height specification of an image, likely a recurring issue across all domains due to a bug in the code of the phishing kit, for example:
-
By pivoting on this specific characteristic, we were able to surface samples of DOMs previously uploaded to VirusTotal:
2. The page structure and values of specific HTML tags across the domains using this template share notable similarities, such as the following JavaScript script tag:
<script src="/WebResource.axd?d=pynGkmcFUV13He1Qd6_TZLoUdzwz5K_EBm8AWI6FxtTYIwM2mR9JkVPmU9lmAROI48C_2gf57cT3vej31U2u1A2&t=637814660020000000" type="text/javascript"></script>
3. There is consistent use of identical file names and directory names across several of 0ktapus’ phishing domains. By pivoting on specific sets of file names and paths (like we suggested above), we can uncover several previously unreported phishing domains:
How can we leverage application fingerprinting to uncover new domains?
-
Identifying the unique characteristics produced by the tools employed by the threat actor, such as phishing kits.
-
These similarities, once identified, can be searched for in platforms like Censys or VirusTotal.
-
Employing tools such as URLScan to discover and pivot on combinations of files and directories that may lead to additional phishing domains.
Fingerprints
Since phishing domains are sometimes managed by threat actors with fewer resources and less security oversight and concerns than their target organizations, they typically invest less in encryption of the website traffic and in other security features.
This allows us to pivot to other phishing domains based on indicators such as the absence of a TLS certificate, the use of specific certificate authorities (often opting for free services like Let’s Encrypt), open directories, unique open server ports (or sets of ports), and other fingerprints, including shared JARM signatures and fully or partially reused infrastructure.
Redirections
Actors may attempt to employ multiple redirections in order to bypass security solutions, as described in this blog post by Adaptive Shield. For example, attackers might use different URL shortening services to bypass domain blocklists or reputation services. For instance, we have observed 0ktapus using bit.ly in previous campaigns to disguise their phishing domains.
DNS hosting and naming conventions
Utilizing the same top-level domains and typo-squatting legitimate websites is also common among many different threat actors. 0ktapus primarily utilizes .com and .net top-level domains (TLDs) for their phishing efforts, trying to masquerade as legitimate organizations. Their domains often incorporate terms like “servicenow”, “hr”, “corp”, “dev”, “okta”, “sso”, and “workspace.”
Re-use of old infrastructure
Threat actors may reactivate old infrastructure to launch new campaigns, as detailed in a blog post by SOCRadar. In the phishing landscape, this is likely to occur if a phishing domain has proven effective enough for the actor to use again. Notably, 0ktapus often “returns to the scene of the crime” by retargeting previously compromised victims. For example, the domain mailgun-okta[.]com has resurfaced in their campaigns, being active in August 2022 and again in May this year.
How can we leverage network profiling to uncover new domains?
-
This tactic can be leveraged to continuously monitor 0ktapus’s IP addresses, revealing other domains registered simultaneously or sequentially on those addresses, as suggested in this blog post by Validin.
-
Additionally, we can employ regex patterns to search for newly registered domains matching known naming schemes.
People are people, and so are threat actors, and as such, they seek comfort and efficiency. One effective way to achieve both is through automated scripts for domain registration. This can result in registration patterns, such as registration dates, domain expiration times, domain registrars, and more.
0ktapus phishing pages are hosted on short-lived domains, as mentioned in this blog post by SIlentPush. This short lifespan contrasts the fact that their domains are initially registered for one year. Historical scan results indicate that some domains have been purposefully aged before being used for phishing, most likely in an attempt to improve their reputation scores and bypass security products.
Additionally, in this excellent Twitter thread, Chris Duggan (AKA TLP_R3D) explains how to pivot between phishing domains used by 0ktapus, highlighting that they register their domains with the same nameserver: ns3.my-ndns[.]com. Like other threat actors, 0ktapus also use the same domain registrars for many of their domains, with recent ones being Registrar.eu and Choopa.
How can we leverage domain registration analysis to uncover new domains?
-
Monitoring newly registered domains at registrars known to be used by threat actors can help identify emerging phishing domains (with additional filtering in place, such as combining the various techniques mentioned throughout this blogpost).
-
Over the past month, we examined domain registrations linked to nameservers commonly used by 0ktapus. This investigation uncovered several new domains, including dashboard-mailgun[.]com, which also revealed a previously unknown DOM template (see template E in the table above).
-
-
In the case of 0ktapus in particular, given a known phishing domain, searching for other domains registered for a one-year period with the same registrar during the same timeframe could assist in pinpointing additional phishing domains.
-
Finding other patterns in domain registration such as the date of the registration, the expiration date, the parking period, and other factors.
Prevention
-
Enforce MFA and single sign-on (SSO) for all services to the extent possible. MFA is incredibly effective at reducing the success rate of phishing attacks and other credential theft activity.
-
Ensure MFA and SSPR registration is secure by requiring users to authenticate from a trusted network location and/or ensuring device compliance.
-
Restrict access to applications to only those devices that are registered (with Okta FastPass) or devices managed by endpoint management tools.
Detection
-
Defenders should hunt for suspicious authentication to Okta services. Use Behavior Detection to act (via step-up authentication) or alert (via System Log) when a user’s sign in behavior deviates from a previous pattern of activity.
-
To identify potential cases of MFA hijacking, review your logs for any of the following behavior:
-
When a user registers a new device that uses a different operating system than their other devices (e.g., Android instead of iOS).
-
When a user registers a new device that is an older model than their previous device.
-
When a single phone (device ID) is assigned to multiple identities.
-
When an external (non-corporate) email address is added as a multi-factor option.
-
Wiz customers can use our pre-built Threat Detection Rules to identify unauthorized access to their Okta services.
Phishing remains an effective tactic for threat actors to obtain credentials and access identities in the cloud. 0ktapus exemplifies an actor adept at creating and maintaining high-quality phishing pages at a large scale.
The tendency of 0ktapus to target previously compromised victims is concerning. By revisiting old targets, 0ktapus may be banking on the idea that organizations have grown complacent or that security measures implemented post-incident have weakened over time. This strategy underscores the importance of ongoing vigilance in cybersecurity practices, even (and especially) for organizations that have previously been breached.
We believe that employing the techniques discussed throughout this blogpost will aid researchers in uncovering future phishing campaigns by 0ktapus and other threat actors, hopefully allowing for detection before the attacker can achieve their goals.
Indicators of compromise relevant to malicious activity that occurred between May 1st, 2024, and October 12th, 2024, are available in our GitHub repository.
Source: Original Post