Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond
Nov. 7, 2024, 9:58 p.m.
Description
This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network profiling, and domain registration analysis. The research reveals various DOM templates used by 0ktapus over time and provides insights into their infrastructure and tactics. The article also offers recommendations for prevention and detection of phishing attacks, emphasizing the importance of MFA, SSO, and continuous vigilance in cybersecurity practices.
Tags
Date
- Created: Nov. 7, 2024, 5:32 p.m.
- Published: Nov. 7, 2024, 5:32 p.m.
- Modified: Nov. 7, 2024, 9:58 p.m.
Indicators
- fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1
- 95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b
- 98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61
- ouryahoo.okta.com.shortid.support
- f8b7bb31e7e8c574d74e52eba7dcf3de48c7f5fa6d39d64685d39355d688defb
- e534b01f04ad4721f7cde5e173a1098ae537d0f84a30d908d0eddae6a2fc4514
- dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727
- d6cbc900942061d85477bda4dbfd7f77d823e8c08ebe80e1f9ff10bec20b5172
- d03ce20518692e3c2adc3f578ba92cab5e19f014664438b729d431a24be1823f
- c8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2
- ce91909e4a421b6377468d22c6d68438da717c300a1b1326177aab3d01b5abee
- c1e6d17cdae38320041149688fdab35409c2d466319873f33390b801b130dae4
- c05d6607585f882476b6b7c9a39fd0bd2bb7ced3e469d5312971971048e2c594
- af1ddeab240bc7321e8c3dfc400ac8273e03af1ce0da9ed73e47570189795e4c
- ab9f02f9eae92f52c983e18dafa2142203afe96a4f4a2390e061812989186e77
- a23a15cf02ff5bfdf1b51335af4b91ca96c436781b9791280ab8c470643d07d7
- a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616
- 9fea58b71ce27a360735a0ebe4badb2f0e1d17ed1b4baa229a568aec987c802c
- 9833c1b277759b26478c88afe74680d5fbf3efff535dd803b1a3ebe4e7b8d466
- 8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb
- 8683370db6d2b7f5137199f0a6b012fcd09cfff6afb30064a23b3339927ed9c9
- 807865ab553996e521995c6624a41e026ef06f5370e1cad6a9647a68f7474798
- 7d7ab8c1e2e469539e0d85d2b2166238c71bfd40ae7a373babf3744fc89a0ef8
- 69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966
- 6604762c149476ff2f833b336d5077d2ac349bccacdf70eb86af28105028fbe0
- 695bd0671a2d91d7087abb3c314f59cca2b52f05411aca478e208c4648616486
- 5dd491b89daadabfe8419d5d1e436a6dd9b4eea25fc4ba5898e6a1bca34f06e9
- 53bb86ab4f9bf507d1f186b5be98f80960db4243afead96ef8ce6eafb2346587
- 4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6
- 46e7cf1fb46a73f098fa6f0f46732bdd298af690ec1452fac9b97884ca8b5a39
- 436831126b5851ba76cd7bedc687ef08538fc639f7cc5e8665488aecfaeaf735
- 3aeba4ab4ed3a5005444f108e6e54bc50c8c02421c1e6cfceab915e1de5cf862
- 2d640430ec60721437ca4d5ff64d16cb0d3febce2e206fa749a9f8e007f9a5ae
- 1d55d14c08eb1d61344f19d17f48b81cca3c4a24f54a0ee3707cf59b296db314
- 1f28bdadbf55e8c7023c4ac754eb963b776847e2d1826d8cf396b01807185f70
- 0cea1ff596fe9a73f77bcd99ec9c77b69c27408a1b1c1c756300ef3db4c3c41f
- 0acb0fc9762e4359f562794011d77317c78f7b68cec08b715d98ed16ba761fac
- 00cc2176062c84db97399bb8761803d15ad1edf4b23eccb74979bb79d2a483ab
- 80.78.28.234
- 80.78.24.166
- 80.78.25.254
- 80.78.22.244
- 67.217.228.42
- 64.95.13.215
- 216.245.184.53
- 193.149.176.19
- 162.33.179.76
- 80.78.24.176
- www.validin.com
- www.silentpush.com
- www.cyberresilience.com
- https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/
- https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries
- www.authenticate-bt.com
- www.dashsso.com
- https://www.silentpush.com/blog/scattered-spider/
- ns3.my-ndns.com
- att-mfa.com
- mailgun-okta.com
- tickets.zapto.org
- sso.ibexgiobal.com
- rbx.okta.bio
- ping.taskus-sso.com
- okta.cellularsaies.com
- louisvuitton.okta-lv.com
- login.unumhr.com
- login.transamerica-hr.com
- login.thrivent-hr.com
- login.unum-hr.com
- login.synchronyfinanciai.com
- login.servicenow-help.com
- login.securian-hr.com
- login.realogy-hr.com
- login.rbx-hr.com
- login.nfp-hr.com
- login.klaviyo-hr.com
- login.hr-intercom.com
- login.grubhub-support.com
- login.doordash-support.com
- login.corporate-pnc.com
- login.corporate-ally.com
- login.block-hr.com
- login.ally-hr.com
- account.securian-hr.com
- account.klaviyo-hr.com
- account.kemper-support.com
- ziffdavis-okta.com
- zendesk-servicedesk.com
- xapo-okta.com
- verify-tmobile.com
- verify-mailgun.com
- uscc-hr.com
- unchainedprod-okta.com
- ultainternal.com
- ultahub.com
- typeform-okta.com
- twillio-sendgrid.com
- twitter-okta.com
- telint-helpdesk.com
- teleperformance-incident.com
- t-mobile-okta.com
- t-mobiie.net
- sync-apple.com
- sunrise-crypto.com
- storewatch-tmobile.com
- stargatesso.com
- stargatesso-gemini.com
- stargate-okta.com
- sso-klaviyo.com
- sso-falconx.com
- squarespacehr.com
- squarespace-okta.com
- snapchat-okta.com
- settings-okta.com
- sessions-sendgrid.com
- servicenowprod.com
- sendgrid-overview.com
- sendgrid-account.com
- robinhood-servicedesk.com
- ripple-okta.com
- review-mailgun.com
- resolveservicedesk.com
- rejectauth-sendgrid.com
- rbx-servicedesk.com
- rbx-corp.com
- rbx-hr.com
- prntsrc.net
- pfchangs-support.com
- paxos-okta.com
- ouryahoo-okta.net
- ouryahoo-okta.org
- ouryahoo-okta.com
- okta-verify.com
- onsolve-okta.com
- okta-twilio.com
- okta-ouryahoo.com
- okta-ripple.com
- okta-onsolve.com
- okta-nydig.com
- okta-intercom.com
- okta-gamestop.com
- okta-campaignmonitor.com
- okta-cbhq.net
- okta-blockdaemon.com
- nike-support.com
- mixpanel-okta.com
- mgmresorts-okta.com
- mcointernal-okta.com
- markel-hr.com
- manageactivity-sendgrid.com
- luno-okta.com
- louisvuitton-okta.com
- klaviyo-vpn.com
- klav-workday.com
- jacksonhewitt-service.com
- itbit-okta.com
- intercom-okta.com
- intercom-hr.com
- hr-gnc.com
- grubhub-support.com
- grid-review.com
- gofundme-okta.com
- grayscale-okta.com
- gd-okta.com
- galaxy-okta.com
- five9-hr.com
- fico-servicenow.com
- expediagroup-servicenow.com
- epic-servicedesk.com
- docusignhq.net
- docusign-okta.com
- dashboard-mailgun.com
- corp-foundever.net
- corescientific-okta.com
- contact-sendgrid.com
- consensys-okta.com
- condenast-hub-okta-emea.com
- concentrix-servicedesk.com
- commonspiritcorp-okta.com
- calendar-dd.com
- block-hr.com
- binance-us-okta.com
- binance-sso.com
- auth-alchemy.com
- apple-vpn.com
- alchemy-okta.com
- adasupport-okta.com
- activecampainhr.com
- acwa-internal.com
- acwa-apple.com
- account-sendgrid.com
- login.five9-hr.com
- login.uscc-hr.com
- revolut-ticket.com
- forward-icloud.com
- blog.sekoia.io
- login.suniife.com
- vzapps-vzn.com
- uscellular-sso.com
- unumhr.com
- transamerica-hr.com
- thrivent-hr.com
- telesignhr.com
- supporthub-iqor.com
- stargate-sso.com
- squarespace-hr.com
- sharing-folders.com
- roblox-hrs.com
- rbxhr.net
- podium-hr.com
- nfp-hr.com
- newyorklifehr.com
- mercury-hr.com
- mutualofomaha-hr.com
- klaviyo-hr.com
- ibexgiobal.com
- hanover-hr.com
- grubhubsso.com
- gemini-sso.com
- foundever-sso.com
- corporate-huntington.com
- corporate-ally.com
- corp-foundever.com
- corp-cox.com
- connect-asurion.net
- clicksend-staging.com
- cinfin-hr.com
- cellularsaies.com
- block-sso.com
- amica-hr.com
- ally-hr.com
- activecampaignhr.com
- activecampaign-hr.com
- klaviyocorp.net
- intercomsso.net
- cashsso.com
Attack Patterns
- 0ktapus
- T1591
- T1606
- T1585
- T1589
- T1586
- T1608
- T1583
- T1584
- T1566
- T1078
Additional Informations
- Technology
- Finance
- Telecommunications