Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label MFA Bypass. Show all posts
voice phishing kits
Cyber Fraud dark web phishing Identity Fraud MFA Bypass Okta threat intelligence social engineering scams voice phishing kits

Dark Web Voice-Phishing Kits Supercharge Social Engineering and Account Takeovers

 

Cybercriminals are finding it easier than ever to run convincing social engineering schemes and identity theft operations, driven by the availability of customized voice-phishing (vishing) kits sold on dark web forums and private messaging channels.

According to a recent Okta Threat Intelligence blog published on Thursday, these phishing kits are being marketed as a service to “a growing number” of threat actors aiming to compromise Google, Microsoft, and Okta user accounts. Beyond fake login pages, the kits also provide real-time support that helps attackers capture login credentials and multi-factor authentication (MFA) codes while victims are actively being manipulated.

“There are at least two kits that implement the novel functionality observed,” Okta Threat Intelligence Vice President Brett Winterford told The Register.

“The phishing kits have been developed to closely mimic the authentication flows of identity providers and other identity systems used by organizations,” he said. “The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees. This creates a more compelling pretext for asking the user to share credentials and accept multi-factor authentication challenges.”

Winterford noted that this form of attack has “evolved significantly since late 2025.” Some advertisements promoting these kits even seek to hire native English-speaking callers to make the scams more believable.

“These callers pretend to be from an organization's helpdesk and approach targets using the pretext of resolving a support ticket or performing a mandatory technical update,” Winterford said.

Similar tactics were observed last year when Scattered Spider-style IT support scams enabled attackers to breach dozens of Salesforce environments, resulting in mass data theft and extortion campaigns.

The attacks typically begin with reconnaissance. Threat actors collect details such as employee names, commonly used applications, and IT support contact numbers. This information is often sourced from company websites, LinkedIn profiles, and other publicly accessible platforms. Using chatbots to automate this research further accelerates the process.

Once prepared, attackers deploy the phishing kit to generate a convincing replica of a legitimate login page. Victims are contacted via spoofed company or helpdesk phone numbers and persuaded to visit the fraudulent site under the guise of IT assistance. “The attacks vary from there, depending on the attacker's motivation and their interactions with the user,” Winterford said.

When victims submit their login credentials, the data is instantly relayed to the attacker—often through a Telegram channel—granting access to the real service. While the victim remains on the call, the attacker attempts to log in and observes which MFA methods are triggered, modifying the phishing page in real time to match the experience.

Attackers then instruct victims to approve push notifications, enter one-time passcodes, or complete other MFA challenges. Because the fake site mirrors these requests, the deception becomes harder to detect.

“If presented a push notification (type of MFA challenge), for example, an attacker can verbally tell the user to expect a push notification, and select an option from their [command-and-control] panel that directs their target's browser to a new page that displays a message implying that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn't initiate,” the report says.

Okta also warned that these kits can defeat number-matching MFA prompts by simply instructing users which number to enter, effectively neutralizing an added layer of security.

Once MFA is bypassed, attackers gain full control of the compromised account.

This research aligns with The Register’s previous reporting on “impersonation-as-a-service,” where cybercriminals bundle social engineering tools into subscription-based offerings.

“As a bad actor you can subscribe to get tools, training, coaching, scripts, exploits, everything in a box to go out and conduct your infiltration operation that often combine[s] these social engineering attacks with targeted ransomware, almost always with a financial motive,” security firm Nametag CEO Aaron Painter said in an earlier interview.
Read more »
Spearphishing Campaigns
Cloud Identity Security Credential Theft Cyber Attacks FBI cyber alert Kimsuky MFA Bypass North Korea APT QR Code Phishing Quishing Attacks Spearphishing Campaigns

FBI Flags Kimsuky’s Role in Sophisticated Quishing Attacks


 

A new warning from the US Federal Bureau of Investigation indicates that spearphishing tactics are being advanced by a cyber espionage group linked to North Korea known as Kimsuky, also known as APT43, in recent months. 

As the threat actor has increasingly turned to QR code-based attacks as a means of infiltrating organizational networks, the threat actor is increasingly using QR code-based attacks. 

There is an alert on the group's use of a technique referred to as "quishing," in which carefully crafted spearphishing emails include malicious URLs within QR codes, as opposed to links that are clickable directly in the emails.

By using mobile devices to scan the QR codes, recipients can bypass traditional email security gateways that are designed to identify and block suspicious URLs, thereby circumventing the problem. 

As a result of this gap between enterprise email defenses and personal mobile use, Kimsuky exploits the resulting gap in security to stealthily harvest user credentials and session tokens, which increases the probability of unauthorized access while reducing the chance of early detection by the security team. 

As a result of this campaign, concerns about the increasingly sophisticated sophistication of state-sponsored cyber operations have been reinforced. This is an indication that a broader shift toward more evasive and socially engineered attack methods is taking place. 

The FBI has determined Kimsuky has been using this technique actively since at least 2025, with campaigns observing that he targeted think tanks, academic institutions and both US and international government entities using spear phishing emails embedded with malicious Quick Response codes (QR codes). 

In describing the method, the bureau referred to it as "quishing," a deliberate strategy based on the notion of pushing victims away from enterprise-managed desktop systems towards networks governed by mobile devices, whose security controls are often more lax or unclear.

The Kimsuky attacker, known by various aliases, such as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, Velvet Chollima, and Emerald Sleet, is widely believed to be a North Korean intelligence agency. 

Kimsuky's phishing campaigns are documented to have been honed over the years in order to bypass email authentication measures. According to an official US government bulletin published in May 2024, the group has successfully exploited misconfigured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to deliver emails that falsely impersonated trusted domains to send emails that convincingly impersonated trusted domains.

In this way, they enabled their malicious campaigns to blend seamlessly into legitimate communications, enabling them to achieve their objectives. The attack chain is initiated once a target scans a malicious QR code to initiate the attack chain, that then quickly moves to infrastructure controlled by the threat actors, where preliminary reconnaissance is conducted to understand the victim's device in order to conduct the attack. 

Moreover, based on the FBI's findings, these intermediary domains are able to harvest technical information, including operating system details, browser identifiers, screen resolutions, IP addresses, and geographical indications, which allows attackers to tailor follow-up activity with greater precision. 

Thereafter, victims are presented with mobile-optimized phishing pages that resemble trusted authentication portals such as Microsoft 365, Okta, and corporate VPN login pages that appear convincingly. 

It is believed that by stealing session cookies and executing replay attacks, the operators have been able to circumvent multi-factor authentication controls and seized control of cloud-based identities. Having initially compromised an organization, the group establishes persistence and utilizes the hijacked accounts to launch secondary spear-phishing campaigns. This further extends the intrusion across trust networks by extending the malware laterally. 

As described by the FBI, this approach demonstrates a high level of confidence, an identity intrusion vector that is MFA-resilient, and it originates on unmanaged mobile devices that sit outside the traditional lines of endpoint detection and network monitoring. 

A number of attacks by Kimsuky were observed during May and June 2025, including campaigns that impersonated foreign advisors, embassy employees, and think tank employees to lure victims into a fictitious conference, as demonstrated by investigators. 

Since being active for more than a decade now, North Korea-aligned espionage groups like APT43 and Emerald Sleet have been gathering information on organizations in the United States, Japan, and South Korea. These groups, also known as Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, have traditionally targeted these organizations with information. 

As a result of activities related to sanctions evasion and support for Pyongyang's weapons of mass destruction programs in 2023, the U.S. government sanctioned the group.

The current spear phishing campaign relies on QR codes embedded within carefully crafted spear-phishing emails to be it's primary infection vector, as the codes run through a victim's mobile device and thereby direct them to an attacker-controlled infrastructure that the attacker controls. 

There are a number of websites host phishing pages crafted to look like legitimate authentication portals, like the Microsoft 365, the Google Workspace, Okta and a wide range of services such as VPNs and single sign-ons. 

As a general rule, investigators report that the operation typically begins with detailed open-source reconnaissance in order to identify high-value individuals, followed by tailored email messages that impersonate trusted contacts or refer to timely events in order to lend credibility to the operation. 

The malicious site either collects login credentials or delivers malware payloads, such as BabyShark or AppleSeed, to the user when they scan the QR code, enabling attackers to establish persistence, move laterally within compromised environments, and exfiltrate sensitive data as soon as it is scanned.

There are many MITER ATT&CK techniques that are aligned with the activity, which reflects an organized and methodical tradecraft, which includes credentials harvesting, command-and-control communications at the application layer, and data exfiltration via web services. 

Furthermore, the group collects data on victim devices by collecting information about the browser and geolocation of the device, which enables the phishing content to be optimized for mobile use, as well as, in some cases, facilitates session token theft, which allows multi-factor authentication to be bypassed. 

Many researchers, academic institutions, government bodies, and strategic advisory organizations have been targeted for their sensitive information, including senior analysts, diplomats, and executives.

It has been observed that while the campaign has gained a global presence covering the United States, South Korea, Europe, Russia, and Japan  it has also demonstrated an increased effectiveness because it is based on personalized lures that exploit professional trust networks and QR codes are routinely used for accessing events and sharing documents, which highlights the growing threat of mobile-centric phishing. 

In a timely manner, the FBI's advisory serves as a reminder that organizations' attack surfaces are no longer limited to conventional desktops and email gateways, but are increasingly extending into mobile devices which are operating outside of the standard visibility of enterprises. 

As malicious actors like Kimsuky develop social engineering techniques that exploit trust, convenience, and routine user behavior in order to gain access to sensitive information, organizations are being forced to reassess how their identity protection strategies intersect with their mobile access policies and their user awareness practices. 

There is an urgent need for information security leaders to place greater emphasis on maintaining phishing-resistant authentication, monitoring anomalous sign-in activity continuously, and establishing stronger governance over mobile device usage, including for those employees who are handling sensitive policy, research, or advisory matters. 

Additionally, it is imperative that users are educated on how to discern QR codes from suspicious links and attachments so that they can treat QR codes with the same amount of attention and scrutiny. 

A combined campaign of this kind illustrates a shift in state-sponsored cyber operations towards low friction, high-impact intrusion paths, which emphasize stealth over scale, pointing to the necessity for adaptive defenses that can evolve as rapidly as the tactics being used to defeat them, which emphasizes the need for a more adaptive defense system.
Read more »
Online Security
cookie theft Cookies Cyber Security cybercriminals FBI Hacking https MFA Bypass Online Security

FBI Warns of Cybercriminals Stealing Cookies to Bypass Security

 

Cybercriminals are now targeting cookies, specifically the “remember-me” type, to gain unauthorized access to email accounts. These small files store login information for ease of access, helping users bypass multi-factor authentication (MFA). However, when a hacker obtains these cookies, they can use them to circumvent security layers and take control of accounts. The FBI has alerted the public, noting that hackers often obtain these cookies through phishing links or malicious websites that embed harmful software on devices. Cookies allow websites to retain login details, avoiding repeated authentication. 

By exploiting them, hackers effectively skip the need for usernames, passwords, or MFA, thus streamlining the process for unauthorized entry. This is particularly concerning as MFA typically acts as a crucial security measure against unwanted access. But when hackers use the “remember-me” cookies, this layer becomes ineffective, making it an appealing route for cybercriminals. A primary concern is that many users unknowingly share these cookies by clicking phishing links or accessing unsecured sites. Cybercriminals then capitalize on these actions, capturing cookies from compromised devices to access email accounts and other sensitive areas. 

This type of attack is less detectable because it bypasses traditional security notifications or alerts for suspicious login attempts, providing hackers with direct, uninterrupted access to accounts. To combat this, the FBI recommends practical steps, including regularly clearing browser cookies, which removes saved login data and can interrupt unauthorized access. Another strong precaution is to avoid questionable links and sites, as they often disguise harmful software. Additionally, users should confirm that the websites they visit are secure, checking for HTTPS in the URL, which signals a more protected connection. 

Monitoring login histories on email and other sensitive accounts is another defensive action. Keeping an eye on recent activity can help users identify unusual login patterns or locations, alerting them to possible breaches. If unexpected entries appear, changing passwords and re-enabling MFA is advisable. Taking these actions collectively strengthens an account’s defenses, reducing the chance of cookie-based intrusions. While “remember-me” cookies bring convenience, their risks in today’s cyber landscape are notable. 

The FBI’s warning underlines the importance of digital hygiene—frequently clearing cookies, avoiding dubious sites, and practicing careful online behavior are essential habits to safeguard personal information.
Read more »
token replay
Browser Security cloud apps Cyber Security identity-based attacks infostealers MFA Bypass Phishing Attacks session cookies Session Hijacking token replay

Session Hijacking Surges: Attackers Exploit MFA Gaps with Modern Tactics

 

As multi-factor authentication (MFA) becomes more common, attackers are increasingly resorting to session hijacking. Evidence from 2023 shows this trend: Microsoft detected 147,000 token replay attacks, marking a 111% increase year-over-year. Google reports that attacks on session cookies now rival traditional password-based threats.

Session hijacking has evolved from old Man-in-the-Middle (MitM) attacks, which relied on intercepting unsecured network traffic. Today, these attacks are internet-based, focusing on cloud apps and services. Modern session hijacking involves stealing session materials like cookies and tokens, enabling attackers to bypass standard security controls like VPNs, encrypted traffic, and even MFA.

The rise of identity-based attacks is a result of the growing complexity of user accounts, with each person managing multiple cloud-based services. Once attackers gain access to an active session, they can bypass MFA, leveraging the valid session tokens, which often stay active longer than expected.

Modern phishing toolkits, like AitM and BitM, make hijacking easier by allowing attackers to intercept MFA processes or trick users into controlling their browser. Infostealers, a newer tool, capture session cookies from the victim’s browser, putting multiple applications at risk, especially when EDR systems fail to detect them.

Infostealer infections are often traced back to unmanaged personal devices, which sync browser profiles with work devices, leading to the compromise of corporate credentials. EDRs aren’t always reliable in stopping these threats, and attackers can still resume stolen sessions without re-authentication, making it difficult for organizations to detect unauthorized access.

Passkeys offer some protection by preventing phishing, but infostealers bypass authentication entirely. While app-level controls exist to detect unauthorized sessions, many are inadequate. Companies are now considering browser-based solutions that monitor user agent strings for signs of session hijacking, offering a last line of defense against these sophisticated attacks.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Subscribe to: Comments (Atom)