Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

Nov. 7, 2024, 9:58 p.m.

Description

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network profiling, and domain registration analysis. The research reveals various DOM templates used by 0ktapus over time and provides insights into their infrastructure and tactics. The article also offers recommendations for prevention and detection of phishing attacks, emphasizing the importance of MFA, SSO, and continuous vigilance in cybersecurity practices.

Date

  • Created: Nov. 7, 2024, 5:32 p.m.
  • Published: Nov. 7, 2024, 5:32 p.m.
  • Modified: Nov. 7, 2024, 9:58 p.m.

Indicators

  • fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1
  • 95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b
  • 98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61
  • ouryahoo.okta.com.shortid.support
  • f8b7bb31e7e8c574d74e52eba7dcf3de48c7f5fa6d39d64685d39355d688defb
  • e534b01f04ad4721f7cde5e173a1098ae537d0f84a30d908d0eddae6a2fc4514
  • dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727
  • d6cbc900942061d85477bda4dbfd7f77d823e8c08ebe80e1f9ff10bec20b5172
  • d03ce20518692e3c2adc3f578ba92cab5e19f014664438b729d431a24be1823f
  • c8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2
  • ce91909e4a421b6377468d22c6d68438da717c300a1b1326177aab3d01b5abee
  • c1e6d17cdae38320041149688fdab35409c2d466319873f33390b801b130dae4
  • c05d6607585f882476b6b7c9a39fd0bd2bb7ced3e469d5312971971048e2c594
  • af1ddeab240bc7321e8c3dfc400ac8273e03af1ce0da9ed73e47570189795e4c
  • ab9f02f9eae92f52c983e18dafa2142203afe96a4f4a2390e061812989186e77
  • a23a15cf02ff5bfdf1b51335af4b91ca96c436781b9791280ab8c470643d07d7
  • a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616
  • 9fea58b71ce27a360735a0ebe4badb2f0e1d17ed1b4baa229a568aec987c802c
  • 9833c1b277759b26478c88afe74680d5fbf3efff535dd803b1a3ebe4e7b8d466
  • 8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb
  • 8683370db6d2b7f5137199f0a6b012fcd09cfff6afb30064a23b3339927ed9c9
  • 807865ab553996e521995c6624a41e026ef06f5370e1cad6a9647a68f7474798
  • 7d7ab8c1e2e469539e0d85d2b2166238c71bfd40ae7a373babf3744fc89a0ef8
  • 69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966
  • 6604762c149476ff2f833b336d5077d2ac349bccacdf70eb86af28105028fbe0
  • 695bd0671a2d91d7087abb3c314f59cca2b52f05411aca478e208c4648616486
  • 5dd491b89daadabfe8419d5d1e436a6dd9b4eea25fc4ba5898e6a1bca34f06e9
  • 53bb86ab4f9bf507d1f186b5be98f80960db4243afead96ef8ce6eafb2346587
  • 4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6
  • 46e7cf1fb46a73f098fa6f0f46732bdd298af690ec1452fac9b97884ca8b5a39
  • 436831126b5851ba76cd7bedc687ef08538fc639f7cc5e8665488aecfaeaf735
  • 3aeba4ab4ed3a5005444f108e6e54bc50c8c02421c1e6cfceab915e1de5cf862
  • 2d640430ec60721437ca4d5ff64d16cb0d3febce2e206fa749a9f8e007f9a5ae
  • 1d55d14c08eb1d61344f19d17f48b81cca3c4a24f54a0ee3707cf59b296db314
  • 1f28bdadbf55e8c7023c4ac754eb963b776847e2d1826d8cf396b01807185f70
  • 0cea1ff596fe9a73f77bcd99ec9c77b69c27408a1b1c1c756300ef3db4c3c41f
  • 0acb0fc9762e4359f562794011d77317c78f7b68cec08b715d98ed16ba761fac
  • 00cc2176062c84db97399bb8761803d15ad1edf4b23eccb74979bb79d2a483ab
  • 80.78.28.234
  • 80.78.24.166
  • 80.78.25.254
  • 80.78.22.244
  • 67.217.228.42
  • 64.95.13.215
  • 216.245.184.53
  • 193.149.176.19
  • 162.33.179.76
  • 80.78.24.176
  • www.validin.com
  • www.silentpush.com
  • www.cyberresilience.com
  • https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/
  • https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/
  • https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
  • https://blog.sekoia.io/scattered-spider-laying-new-eggs/
  • https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries
  • www.authenticate-bt.com
  • www.dashsso.com
  • https://www.silentpush.com/blog/scattered-spider/
  • ns3.my-ndns.com
  • att-mfa.com
  • mailgun-okta.com
  • tickets.zapto.org
  • sso.ibexgiobal.com
  • rbx.okta.bio
  • ping.taskus-sso.com
  • okta.cellularsaies.com
  • louisvuitton.okta-lv.com
  • login.unumhr.com
  • login.transamerica-hr.com
  • login.thrivent-hr.com
  • login.unum-hr.com
  • login.synchronyfinanciai.com
  • login.servicenow-help.com
  • login.securian-hr.com
  • login.realogy-hr.com
  • login.rbx-hr.com
  • login.nfp-hr.com
  • login.klaviyo-hr.com
  • login.hr-intercom.com
  • login.grubhub-support.com
  • login.doordash-support.com
  • login.corporate-pnc.com
  • login.corporate-ally.com
  • login.block-hr.com
  • login.ally-hr.com
  • account.securian-hr.com
  • account.klaviyo-hr.com
  • account.kemper-support.com
  • ziffdavis-okta.com
  • zendesk-servicedesk.com
  • xapo-okta.com
  • verify-tmobile.com
  • verify-mailgun.com
  • uscc-hr.com
  • unchainedprod-okta.com
  • ultainternal.com
  • ultahub.com
  • typeform-okta.com
  • twillio-sendgrid.com
  • twitter-okta.com
  • telint-helpdesk.com
  • teleperformance-incident.com
  • t-mobile-okta.com
  • t-mobiie.net
  • sync-apple.com
  • sunrise-crypto.com
  • storewatch-tmobile.com
  • stargatesso.com
  • stargatesso-gemini.com
  • stargate-okta.com
  • sso-klaviyo.com
  • sso-falconx.com
  • squarespacehr.com
  • squarespace-okta.com
  • snapchat-okta.com
  • settings-okta.com
  • sessions-sendgrid.com
  • servicenowprod.com
  • sendgrid-overview.com
  • sendgrid-account.com
  • robinhood-servicedesk.com
  • ripple-okta.com
  • review-mailgun.com
  • resolveservicedesk.com
  • rejectauth-sendgrid.com
  • rbx-servicedesk.com
  • rbx-corp.com
  • rbx-hr.com
  • prntsrc.net
  • pfchangs-support.com
  • paxos-okta.com
  • ouryahoo-okta.net
  • ouryahoo-okta.org
  • ouryahoo-okta.com
  • okta-verify.com
  • onsolve-okta.com
  • okta-twilio.com
  • okta-ouryahoo.com
  • okta-ripple.com
  • okta-onsolve.com
  • okta-nydig.com
  • okta-intercom.com
  • okta-gamestop.com
  • okta-campaignmonitor.com
  • okta-cbhq.net
  • okta-blockdaemon.com
  • nike-support.com
  • mixpanel-okta.com
  • mgmresorts-okta.com
  • mcointernal-okta.com
  • markel-hr.com
  • manageactivity-sendgrid.com
  • luno-okta.com
  • louisvuitton-okta.com
  • klaviyo-vpn.com
  • klav-workday.com
  • jacksonhewitt-service.com
  • itbit-okta.com
  • intercom-okta.com
  • intercom-hr.com
  • hr-gnc.com
  • grubhub-support.com
  • grid-review.com
  • gofundme-okta.com
  • grayscale-okta.com
  • gd-okta.com
  • galaxy-okta.com
  • five9-hr.com
  • fico-servicenow.com
  • expediagroup-servicenow.com
  • epic-servicedesk.com
  • docusignhq.net
  • docusign-okta.com
  • dashboard-mailgun.com
  • corp-foundever.net
  • corescientific-okta.com
  • contact-sendgrid.com
  • consensys-okta.com
  • condenast-hub-okta-emea.com
  • concentrix-servicedesk.com
  • commonspiritcorp-okta.com
  • calendar-dd.com
  • block-hr.com
  • binance-us-okta.com
  • binance-sso.com
  • auth-alchemy.com
  • apple-vpn.com
  • alchemy-okta.com
  • adasupport-okta.com
  • activecampainhr.com
  • acwa-internal.com
  • acwa-apple.com
  • account-sendgrid.com
  • login.five9-hr.com
  • login.uscc-hr.com
  • revolut-ticket.com
  • forward-icloud.com
  • blog.sekoia.io
  • login.suniife.com
  • vzapps-vzn.com
  • uscellular-sso.com
  • unumhr.com
  • transamerica-hr.com
  • thrivent-hr.com
  • telesignhr.com
  • supporthub-iqor.com
  • stargate-sso.com
  • squarespace-hr.com
  • sharing-folders.com
  • roblox-hrs.com
  • rbxhr.net
  • podium-hr.com
  • nfp-hr.com
  • newyorklifehr.com
  • mercury-hr.com
  • mutualofomaha-hr.com
  • klaviyo-hr.com
  • ibexgiobal.com
  • hanover-hr.com
  • grubhubsso.com
  • gemini-sso.com
  • foundever-sso.com
  • corporate-huntington.com
  • corporate-ally.com
  • corp-foundever.com
  • corp-cox.com
  • connect-asurion.net
  • clicksend-staging.com
  • cinfin-hr.com
  • cellularsaies.com
  • block-sso.com
  • amica-hr.com
  • ally-hr.com
  • activecampaignhr.com
  • activecampaign-hr.com
  • klaviyocorp.net
  • intercomsso.net
  • cashsso.com

Attack Patterns

  • 0ktapus
  • T1591
  • T1606
  • T1585
  • T1589
  • T1586
  • T1608
  • T1583
  • T1584
  • T1566
  • T1078

Additional Informations

  • Technology
  • Finance
  • Telecommunications