Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

Nov. 7, 2024, 9:58 p.m.

Description

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network profiling, and domain registration analysis. The research reveals various DOM templates used by 0ktapus over time and provides insights into their infrastructure and tactics. The article also offers recommendations for prevention and detection of phishing attacks, emphasizing the importance of MFA, SSO, and continuous vigilance in cybersecurity practices.

Date

Published: Nov. 7, 2024, 5:32 p.m.

Created: Nov. 7, 2024, 5:32 p.m.

Modified: Nov. 7, 2024, 9:58 p.m.

Indicators

fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1

95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b

98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61

ouryahoo.okta.com.shortid.support

f8b7bb31e7e8c574d74e52eba7dcf3de48c7f5fa6d39d64685d39355d688defb

e534b01f04ad4721f7cde5e173a1098ae537d0f84a30d908d0eddae6a2fc4514

dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727

d6cbc900942061d85477bda4dbfd7f77d823e8c08ebe80e1f9ff10bec20b5172

d03ce20518692e3c2adc3f578ba92cab5e19f014664438b729d431a24be1823f

c8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2

ce91909e4a421b6377468d22c6d68438da717c300a1b1326177aab3d01b5abee

c1e6d17cdae38320041149688fdab35409c2d466319873f33390b801b130dae4

c05d6607585f882476b6b7c9a39fd0bd2bb7ced3e469d5312971971048e2c594

af1ddeab240bc7321e8c3dfc400ac8273e03af1ce0da9ed73e47570189795e4c

ab9f02f9eae92f52c983e18dafa2142203afe96a4f4a2390e061812989186e77

a23a15cf02ff5bfdf1b51335af4b91ca96c436781b9791280ab8c470643d07d7

a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616

9fea58b71ce27a360735a0ebe4badb2f0e1d17ed1b4baa229a568aec987c802c

9833c1b277759b26478c88afe74680d5fbf3efff535dd803b1a3ebe4e7b8d466

8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb

8683370db6d2b7f5137199f0a6b012fcd09cfff6afb30064a23b3339927ed9c9

807865ab553996e521995c6624a41e026ef06f5370e1cad6a9647a68f7474798

7d7ab8c1e2e469539e0d85d2b2166238c71bfd40ae7a373babf3744fc89a0ef8

69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966

6604762c149476ff2f833b336d5077d2ac349bccacdf70eb86af28105028fbe0

695bd0671a2d91d7087abb3c314f59cca2b52f05411aca478e208c4648616486

5dd491b89daadabfe8419d5d1e436a6dd9b4eea25fc4ba5898e6a1bca34f06e9

53bb86ab4f9bf507d1f186b5be98f80960db4243afead96ef8ce6eafb2346587

4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6

46e7cf1fb46a73f098fa6f0f46732bdd298af690ec1452fac9b97884ca8b5a39

436831126b5851ba76cd7bedc687ef08538fc639f7cc5e8665488aecfaeaf735

3aeba4ab4ed3a5005444f108e6e54bc50c8c02421c1e6cfceab915e1de5cf862

2d640430ec60721437ca4d5ff64d16cb0d3febce2e206fa749a9f8e007f9a5ae

1d55d14c08eb1d61344f19d17f48b81cca3c4a24f54a0ee3707cf59b296db314

1f28bdadbf55e8c7023c4ac754eb963b776847e2d1826d8cf396b01807185f70

0cea1ff596fe9a73f77bcd99ec9c77b69c27408a1b1c1c756300ef3db4c3c41f

0acb0fc9762e4359f562794011d77317c78f7b68cec08b715d98ed16ba761fac

00cc2176062c84db97399bb8761803d15ad1edf4b23eccb74979bb79d2a483ab

80.78.28.234

80.78.24.166

80.78.25.254

80.78.22.244

67.217.228.42

64.95.13.215

216.245.184.53

193.149.176.19

162.33.179.76

80.78.24.176

www.validin.com

www.silentpush.com

www.cyberresilience.com

https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/

https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/

https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud

https://blog.sekoia.io/scattered-spider-laying-new-eggs/

https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

www.authenticate-bt.com

www.dashsso.com

https://www.silentpush.com/blog/scattered-spider/

ns3.my-ndns.com

att-mfa.com

mailgun-okta.com

tickets.zapto.org

sso.ibexgiobal.com

rbx.okta.bio

ping.taskus-sso.com

okta.cellularsaies.com

louisvuitton.okta-lv.com

login.unumhr.com

login.transamerica-hr.com

login.thrivent-hr.com

login.unum-hr.com

login.synchronyfinanciai.com

login.servicenow-help.com

login.securian-hr.com

login.realogy-hr.com

login.rbx-hr.com

login.nfp-hr.com

login.klaviyo-hr.com

login.hr-intercom.com

login.grubhub-support.com

login.doordash-support.com

login.corporate-pnc.com

login.corporate-ally.com

login.block-hr.com

login.ally-hr.com

account.securian-hr.com

account.klaviyo-hr.com

account.kemper-support.com

ziffdavis-okta.com

zendesk-servicedesk.com

xapo-okta.com

verify-tmobile.com

verify-mailgun.com

uscc-hr.com

unchainedprod-okta.com

ultainternal.com

ultahub.com

typeform-okta.com

twillio-sendgrid.com

twitter-okta.com

telint-helpdesk.com

teleperformance-incident.com

t-mobile-okta.com

t-mobiie.net

sync-apple.com

sunrise-crypto.com

storewatch-tmobile.com

stargatesso.com

stargatesso-gemini.com

stargate-okta.com

sso-klaviyo.com

sso-falconx.com

squarespacehr.com

squarespace-okta.com

snapchat-okta.com

settings-okta.com

sessions-sendgrid.com

servicenowprod.com

sendgrid-overview.com

sendgrid-account.com

robinhood-servicedesk.com

ripple-okta.com

review-mailgun.com

resolveservicedesk.com

rejectauth-sendgrid.com

rbx-servicedesk.com

rbx-corp.com

rbx-hr.com

prntsrc.net

pfchangs-support.com

paxos-okta.com

ouryahoo-okta.net

ouryahoo-okta.org

ouryahoo-okta.com

okta-verify.com

onsolve-okta.com

okta-twilio.com

okta-ouryahoo.com

okta-ripple.com

okta-onsolve.com

okta-nydig.com

okta-intercom.com

okta-gamestop.com

okta-campaignmonitor.com

okta-cbhq.net

okta-blockdaemon.com

nike-support.com

mixpanel-okta.com

mgmresorts-okta.com

mcointernal-okta.com

markel-hr.com

manageactivity-sendgrid.com

luno-okta.com

louisvuitton-okta.com

klaviyo-vpn.com

klav-workday.com

jacksonhewitt-service.com

itbit-okta.com

intercom-okta.com

intercom-hr.com

hr-gnc.com

grubhub-support.com

grid-review.com

gofundme-okta.com

grayscale-okta.com

gd-okta.com

galaxy-okta.com

five9-hr.com

fico-servicenow.com

expediagroup-servicenow.com

epic-servicedesk.com

docusignhq.net

docusign-okta.com

dashboard-mailgun.com

corp-foundever.net

corescientific-okta.com

contact-sendgrid.com

consensys-okta.com

condenast-hub-okta-emea.com

concentrix-servicedesk.com

commonspiritcorp-okta.com

calendar-dd.com

block-hr.com

binance-us-okta.com

binance-sso.com

auth-alchemy.com

apple-vpn.com

alchemy-okta.com

adasupport-okta.com

activecampainhr.com

acwa-internal.com

acwa-apple.com

account-sendgrid.com

login.five9-hr.com

login.uscc-hr.com

revolut-ticket.com

forward-icloud.com

blog.sekoia.io

login.suniife.com

vzapps-vzn.com

uscellular-sso.com

unumhr.com

transamerica-hr.com

thrivent-hr.com

telesignhr.com

supporthub-iqor.com

stargate-sso.com

squarespace-hr.com

sharing-folders.com

roblox-hrs.com

rbxhr.net

podium-hr.com

nfp-hr.com

newyorklifehr.com

mercury-hr.com

mutualofomaha-hr.com

klaviyo-hr.com

ibexgiobal.com

hanover-hr.com

grubhubsso.com

gemini-sso.com

foundever-sso.com

corporate-huntington.com

corporate-ally.com

corp-foundever.com

corp-cox.com

connect-asurion.net

clicksend-staging.com

cinfin-hr.com

cellularsaies.com

block-sso.com

amica-hr.com

ally-hr.com

activecampaignhr.com

activecampaign-hr.com

klaviyocorp.net

intercomsso.net

cashsso.com

Attack Patterns

0ktapus

T1591

T1606

T1585

T1589

T1586

T1608

T1583

T1584

T1566

T1078

Additional Informations

Technology

Finance

Telecommunications