Cybercriminals are shifting their tactics from traditional email phishing to more direct voice-based social engineering attacks, known as vishing, to infiltrate corporate systems. This change in strategy is particularly targeting identity providers like Okta, which serve as central authentication gateways for many organizations. By exploiting the trust placed in these systems, attackers can gain unauthorized access to a wide range of connected applications without deploying malware.
The vishing technique involves attackers making phone calls to IT help desks or employees, posing as legitimate users in urgent situations. They often claim to be locked out of accounts or experiencing technical difficulties, prompting help desk staff to bypass standard security protocols. This method has proven to be more effective than email phishing, as it exploits human psychology and the urgency of the situation to gain access to sensitive systems.
Once attackers gain access to Okta, they can move laterally across all applications connected through Single Sign-On, such as Microsoft 365, Google Workspace, and Salesforce. This access allows them to download documents, export emails, and even register unauthorized applications, leading to extensive data breaches. The simplicity of this attack method, requiring only a convincing story and a phone number, makes it particularly dangerous.
The impact of these vishing attacks is significant, as they can result in widespread data theft and unauthorized access to critical business applications. Organizations are often caught off guard by the speed and effectiveness of these attacks, which do not rely on traditional malware or exploit kits. The ability to compromise an entire cloud environment with minimal technical skill poses a serious threat to corporate security.
To combat this growing threat, organizations should enforce strict identity verification processes for any multi-factor authentication resets or device enrollments. Training help desk staff to recognize and challenge vishing attempts is essential, as is the adoption of phishing-resistant authentication methods like FIDO2 security keys. Additionally, integrating Okta logs into security information and event management systems can help detect suspicious activity, while incident response playbooks should be updated to quickly address and mitigate compromises when they occur.
Source: https://www.levelblue.com/blogs/spiderlabs-blog/why-attackers-are-bypassing-phishing-emails-and-targeting-identity-instead