How 1-Time Passcodes Became a Corporate Liability – Krebs on Security – Krebs on Security

Phishers are enjoying remarkable success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest technology companies and customer support firms. A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices.

In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.
The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.
The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server.
This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign “0ktapus” for the attackers targeting organizations using identity management tools from
“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB wrote. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
It’s not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.
A great many responses came from those who were apparently wise to the scheme, as evidenced by the hundreds of hostile replies that included profanity or insults aimed at the phishers: The very first reply recorded in the Telegram bot data came from one such employee, who responded with the username “havefuninjail.”
Still, thousands replied with what appear to be legitimate credentials — many of them including one-time codes needed for multi-factor authentication. On July 20, the attackers turned their sights on internet infrastructure giant, and the intercepted credentials show at least three employees fell for the scam.
In a blog post earlier this month, Cloudflare said it detected the account takeovers and that no Cloudflare systems were compromised. Cloudflare said it does not rely on one-time passcodes as a second factor, so there was nothing to provide to the attackers. But Cloudflare said it wanted to call attention to the phishing attacks because they would probably work against most other companies.
“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” Cloudflare CEO Matthew Prince wrote. “On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members.”
On three separate occasions, the phishers targeted employees at, a San Francisco based company that provides services for making and receiving text messages and phone calls. It’s unclear how many Twilio employees received the SMS phishes, but the data suggest at least four Twilio employees responded to a spate of SMS phishing attempts on July 27, Aug. 2, and Aug. 7.

On that last date, Twilio disclosed that on Aug. 4 it became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
That “certain customer data” included information on roughly 1,900 users of the secure messaging app Signal, which relied on Twilio to provide phone number verification services. In its disclosure on the incident, Signal said that with their access to Twilio’s internal tools the attackers were able to re-register those users’ phone numbers to another device.
On Aug. 25, food delivery service DoorDash disclosed that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. DoorDash said intruders stole information on a “small percentage” of users that have since been notified. TechCrunch reported last week that the incident was linked to the same phishing campaign that targeted Twilio.
This phishing gang apparently had great success targeting employees of all the major mobile wireless providers, but most especially T-Mobile. Between July 10 and July 16, dozens of T-Mobile employees fell for the phishing messages and provided their remote access credentials.
“Credential theft continues to be an ongoing issue in our industry as wireless providers are constantly battling bad actors that are focused on finding new ways to pursue illegal activities like this,” T-Mobile said in a statement. “Our tools and teams worked as designed to quickly identify and respond to this large-scale smishing attack earlier this year that targeted many companies. We continue to work to prevent these types of attacks and will continue to evolve and improve our approach.”
This same group saw hundreds of responses from employees at some of the largest customer support and staffing firms, including, and Teleperformance did not respond to requests for comment. KrebsOnSecurity did hear from Christopher Knauer, global chief security officer at Sitel Group, the customer support giant that recently acquired Sykes. Knauer said the attacks leveraged newly-registered domains and asked employees to approve upcoming changes to their work schedules.
Image: Group-IB.
Knauer said the attackers set up the phishing domains just minutes in advance of spamming links to those domains in phony SMS alerts to targeted employees. He said such tactics largely sidestep automated alerts generated by companies that monitor brand names for signs of new phishing domains being registered.
“They were using the domains as soon as they became available,” Knauer said. “The alerting services don’t often let you know until 24 hours after a domain has been registered.”
On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.
On Aug. 15, the hosting company DigitalOcean published a blog post saying it had severed ties with MailChimp after its Mailchimp account was compromised. DigitalOcean said the MailChimp incident resulted in a “very small number” of DigitalOcean customers experiencing attempted compromises of their accounts through password resets.
According to interviews with multiple companies hit by the group, the attackers are mostly interested in stealing access to cryptocurrency, and to companies that manage communications with people interested in cryptocurrency investing. In an Aug. 3 blog post from email and SMS marketing firm, the company’s CEO recounted how the phishers gained access to the company’s internal tools, and used that to download information on 38 crypto-related accounts.
A flow chart of the attacks by the SMS phishing group known as 0ktapus and ScatterSwine. Image: Amitai Cohen for
The ubiquity of mobile phones became a lifeline for many companies trying to manage their remote employees throughout the Coronavirus pandemic. But these same mobile devices are fast becoming a liability for organizations that use them for phishable forms of multi-factor authentication, such as one-time codes generated by a mobile app or delivered via SMS.
Because as we can see from the success of this phishing group, this type of data extraction is now being massively automated, and employee authentication compromises can quickly lead to security and privacy risks for the employer’s partners or for anyone in their supply chain.
Unfortunately, a great many companies still rely on SMS for employee multi-factor authentication. According to a report this year from Okta, 47 percent of workforce customers deploy SMS and voice factors for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found.
Some companies (like Knauer’s Sitel) have taken to requiring that all remote access to internal networks be managed through work-issued laptops and/or mobile devices, which are loaded with custom profiles that can’t be accessed through other devices.
Others are moving away from SMS and one-time code apps and toward requiring employees to use physical FIDO multi-factor authentication devices such as security keys, which can neutralize phishing attacks because any stolen credentials can’t be used unless the phishers also have physical access to the user’s security key or mobile device.
This came in handy for Twitter, which announced last year that it was moving all of its employees to using security keys, and/or biometric authentication via their mobile device. The phishers’ Telegram bot reported that on June 16, 2022, five employees at Twitter gave away their work credentials. In response to questions from KrebsOnSecurity, Twitter confirmed several employees were relieved of their employee usernames and passwords, but that its security key requirement prevented the phishers from abusing that information.
Twitter accelerated its plans to improve employee authentication following the July 2020 security incident, wherein several employees were phished and relieved of credentials for Twitter’s internal tools. In that intrusion, the attackers used Twitter’s tools to hijack accounts for some of the world’s most recognizable public figures, executives and celebrities — forcing those accounts to tweet out links to bitcoin scams.
“Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” Twitter said in an Oct. 2021 post about the change. “To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.”
Update, 6:02 p.m. ET: Clarified that Cloudflare does not rely on TOTP (one-time multi-factor authentication codes) as a second factor for employee authentication.
This entry was posted on Tuesday 30th of August 2022 10:53 AM
It’s scandalous that US banks still rely on SMS-based 2FA for online banking. My bank finally allowed 2FA using an RSA security key (Let me guess: They were required to provide this for federal government employees?). Apparently using an authenticator app is beyond the capabilities of their underpaid IT staff. But the best part: Even if you get (pay for) the RSA key, you cannot turn off 2FA with SMS! What’s the freaking point of paying for a more secure 2FA, if they won’t turn off the insecure 2FA?
2FA codes from authenticator apps or hardware tokens are vastly superior to 2FA SMS codes. But would not have mitigated this attack. It’s just as easy to phish a code from another app or token as it is from the text messaging app.
The real mitigation is the “security key” FIDO devices that must be plugged into the computer/phone via USB or bluetooth. that two-way type communications allows the key to authenticate the website/service that is requesting 2FA authentication.
It’s generally not the bank’s fault, it’s more often the third party online banking provider who determines what methods of 2FA are available. Fortunately my bank (who I both use and work for) offers VIP 2FA (would rather it not be a proprietary system, but it beats SMS).
It’s the bank’s fault since they get to choose their online provider.
The RSA SecurID code generator is as phishable as apps like Google Authenticator. For real security you need a U2F key like the Yubikey. Unfortunately very few platforms support it, but Google does and so does Bank of America.
90%-95% of MFA can be easily phished around. We need to do better. Buy or use only phishing-resistant MFA when you can. Here’s my list of all phishing-resistant MFA that I’m aware of:
When you read Mr Grimes’ book on MFA and then at the very same time you see the reply from someone whose name is Roger A. Grimes on another MFA issue 0_0
Amazing book btw so far!
90%-95% of MFA can be easily phished around. We need to do better. Buy or use only phishing-resistant MFA when you can. Here’s my list of all phishing-resistant MFA that I’m aware of: https: //www.
Just an idle thought while reading this: Isn’t this something that Blackberry handled by routing all phone traffic through a central server about twenty years ago? So all SMS messages were filtered and verified?
No. Blackberry only routed web traffic. SMS and Phone calls can’t be routed that way. The carrier controls that, SS7 stuff.
But this article isn’t even about SMS 2FA codes. It’s about the phishing of 2FA codes regardless of the transport method.
No. Blackberry only routed web traffic. SMS and Phone calls can’t be routed that way. The carrier controls that, SS7 stuff.
But this article isn’t even about SMS 2FA codes. It’s about the phishing of 2FA codes regardless of the transport method.
With SMS, hackers can SIM swap to get your SMS codes without you knowing.
Phishing is much more of a threat, because it attacks the human being. An attacker doesn’t need to swap your SIM, if they phish you, then you are tricked into giving up the credentials and 2FA codes.
No registration should record a cell ph# in the clear to begin with — without that critical datapoint SMS cannot reach their target.
What registration are you referring to?
SMS communications are spoofed to easily. The only way that zero trust protocols can be enabled is if the sender is 100% verifyable and authenticated by the receiving device all else are band aids on a festering wound. Once Quants are a reality hiding behind pseudo public key firewalls are going to have a lot of red eyes out there. The only way is symetric encryption
This is nonsense technobabble.
Delete this url from your bookmarks. It is beyond your ken.
I was fully on-board until the last two sentences about quantum pseudo public key firewalls. I have no idea what that is or why “symetric [sic] encryption” will fix it.
The bit about zero trust reads true but I’m afraid that it’s only a viable option for employees, not so much for customers. The article even mentions one stab at it.
Some companies (like Knauer’s Sitel) have taken to requiring that all remote access to internal networks be managed through work-issued laptops and/or mobile devices, which are loaded with custom profiles that can’t be accessed through other devices.
Yeah, even the bit about “zero trust” didn’t make sense. It’s a thing, but is usually misunderstood and used only as a buzz word.
I regularly remind myself that whatever email or text notifications I get… I will ALWAYS visit by clicking my own bookmarked site… or if I need to call anyone back, I will use the contact info stored in my password manager. I also use the following as my layered defense:
1. The browser I use for reading email/text has noscript extension. Only specific whitelisted sites are allowed — Gmail for example. So even if I inadvertently clicked an email or text link… Noscrypt should stop fake sites from functioning.
2. I always sign in as ‘standard’ user – not admin. So again, if I inadvertently clicked a bad link, Windows should prevent anything accidentally downloaded from installing/running. And I take care to ensure that my OS and apps are up to date.
That is good hygiene that all users should be doing. Thank you.
Although I am not sure if client javascript was used on this phishing page, so noscript may not have blocked it.
I use a RSA type key for financial stuff. I was offered the choice of using a TOTP app but I said to send me a new key when the old battery gave out. Totally air gapped.
But reading the article it seems to me that the real problem was clicking on a link being offered to you. Rule number one is if you didn’t ask for it, don’t click it.
Next up I baffled that any company would use Telegram. Their security has long been known to be no good.
The RSA hard tokens that display 2FA codes are certainly protected from malware that could infect your phone. But they have had their share of breaches too. RSA seeds were leaked a few years back.
In corporate environments today, and especially in pandemic work from home times… it is now the reality that employees will be contacted directly from SaaS providers that their employee has onboarded. Okta is one example. In many cases, not all employees are aware of all the cloud providers that are being used by the company. In this era of “cloud first”, a company could be using hundreds, and each employee cannot know which ones and what the exact URL would be.
Lastly, the company doesn’t use Telegram. The attacker uses Telegram to backhaul the credentials from the phishing site to the attackers. The victim isn’t even aware Telegram is in use.
Anyone open to learning more about the only MFA on the market without shared secrets in its design? Comment if yes.
(Yes, it’s real and exists — and is trusted by BofA, CVS Health Aetna, WellsFargo, Goldman Sachs, and more.)
All 2fa methods including FIDO can be exploited because they do not have correct time out lock out routines to prevent exploitation of fall back to stop lockout of users.
What does time out lockout have to do with any of this? The hackers are not trying to brute force, and the credentials and OTP code is retransmitted immediately.
Fido cannot be exploited through this phishing method.
Nice writeup and very detailed!
Recently attackers have been using advanced phishing attacks to bypass latest security mitigations
I think it will also be good to highlight the increase in usage of adversary-in-the-middle (AiTM) phishing attacks which can bypass multi-factor authentication (MFA) as well
Here are good recent researches on this topic:
Bypassing Microsoft 2-factor authentication
Bypassing Gmail 2-factor authentication
No registration should record a cell ph# in the clear to begin with — without that critical datapoint there is no attack vector.
Your email address will not be published.

Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.