Okta warns of real-time vishing kits defeating MFA

Okta Threat Intelligence has identified new custom phishing kits specifically engineered for voice-based social engineering, featuring tools that allow attackers to remotely steer what a victim views in their web browser during a live phone call. According to the company, these kits are being offered on an "as-a-service" basis, lowering the barrier to entry for cybercriminals. The primary targets for these attacks include users of major platforms such as Google, Microsoft, and Okta, as well as various cryptocurrency providers.

By synchronising the victim's browsing session with their own, attackers can guide users through fraudulent interfaces in real time, making the deception significantly more's convincing. This interactive approach allows threat actors to bypass traditional security cues and trick victims into surrendering sensitive credentials or multi-factor authentication codes. The emergence of these sophisticated tools marks a shift towards more dynamic, human-led cyber-attacks designed to exploit the trust established during direct verbal communication.

Okta said the kits intercept credentials and present fake multi-factor authentication approval screens. The company said attackers can change the phishing pages in real time during an active phone call. Okta linked this to vishing campaigns, where an attacker speaks to a target and uses social engineering techniques.

"Once you get into the driver's seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering," said Moussa Diallo, Threat Researcher, Okta Threat Intelligence. "Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant."

Real-time control

Okta said the phishing kits include client-side scripts that give threat actors control over the authentication flow in a victim's browser. Okta described this as real-time session orchestration. The company said it gives the caller more credibility during a conversation. Okta said it also increases the chance a victim approves MFA push notifications or shares one-time passcodes.

Okta said the kits appear to share common features and may come from the same lineage. The company said the design reflects the needs of callers who engage targets in real time, rather than relying only on static phishing pages or bulk email campaigns.

Okta described a common attack sequence. It said an attacker starts with reconnaissance on a target and gathers names, applications and phone numbers associated with IT support calls. Okta said the attacker then sets up a customised phishing page and calls the target while spoofing a company number or support hotline.

Okta said the caller persuades the user to open the phishing site in a browser. The user enters a username and password. Okta said the kit forwards the credentials to the attacker via Telegram.

Okta said the attacker then tries the captured credentials on a legitimate sign-in page and sees which MFA method triggers. Okta said the attacker can then update the phishing site as the call continues. The attacker can select pages that prompt for an OTP or that encourage a user to accept a push notification.

MFA limits

Okta said this approach can bypass several common MFA methods when the user follows instructions during the call. The company highlighted number challenge and number matching prompts for push notifications. Okta said these are not phishing-resistant because a caller can ask the user to select or enter a specific number.

Okta contrasted those methods with phishing-resistant sign-in options. It said users required to sign in with Okta FastPass or FIDO passkeys are protected from these attacks.

Okta said it has seen earlier session orchestration features copied into newer phishing kits. The company also said some operators now sell access to more tailored control panels designed for specific services, rather than a single kit aimed at multiple identity providers and cryptocurrency platforms.

Market for vishing

Diallo described a growing market for the skills associated with these operations.

"Vishing is becoming such an in-demand area of expertise that, much like access to these kits, that expertise is also sold on an as-a-service basis," said Diallo.

Defensive steps

Okta set out recommendations that focus on phishing-resistant authentication and tighter access policies. It said organisations should enforce phishing resistance for access to resources.

"In a workplace context, there is no substitute for enforcing phishing resistance for access to resources," said Diallo.

Okta said that, for customers using Okta for workforce authentication, phishing resistance would mean enrolling users in Okta FastPass, passkeys, or both.

Okta also pointed to network restrictions as a way to reduce exposure. It said organisations can use network zones or tenant access control lists to deny access from anonymising services used by threat actors.

"The key is to know where your legitimate requests come from, and allowlist those networks," said Diallo.

Okta also noted that some banks and cryptocurrency exchanges are testing live caller checks inside mobile apps. The company said these checks allow a user to confirm whether a caller is an authorised representative at the time of the call.