Security researchers at Wiz have published a detailed technical analysis revealing how the notorious threat actor 0ktapus (aka Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3 and Octo Tempest) constructs and maintains its phishing infrastructure, offering new insights into tracking and identifying their malicious campaigns.
The financially motivated threat group, active since 2022, has gained notoriety for its sophisticated social engineering attacks targeting cloud identities, particularly focusing on IT service desk workers and administrators.
The group employs various techniques ranging from simple techniques such as smishing (SMS phishing), vishing (voice phishing), and usage of phishing landing pages to more sophisticated methods such as MFA fatigue and SIM hijacking
In their analysis, Wiz researchers identified 12 distinct Document Object Model (DOM) templates used by 0ktapus in their phishing campaigns over the past two years.
Each template exhibits unique characteristics that can help security teams identify related phishing domains. For instance, one template contains a distinctive syntax error in image height specifications, while another includes specific JavaScript files and directory structures.
.webp "Unveiling 0ktapus techniques")
The research team outlined three primary methods for investigating phishing domains:
- Application Fingerprinting: This involves analyzing the content and structure of phishing pages, including examining HTML code, embedded scripts, and replicated assets from legitimate websites.
- Network Profiling: This method focuses on analyzing network-level indicators such as TLS certificates, DNS configurations, and redirection patterns.
- Domain Registration Analysis: This approach examines patterns in how domains are registered, including registration dates, expiration times, and choice of registrars.
A concerning trend highlighted in the research is 0ktapus's tendency to retarget previously compromised victims.
For example, the domain "mailgun-okta[.]com" was observed being reactivated for attacks in both August 2022 and May 2023, suggesting the group believes organizations may become complacent or allow security measures to weaken over time.
To help organizations protect themselves, Wiz researchers recommend several security measures:
- Enforce MFA and SSO across all services
- Secure MFA registration by requiring authentication from trusted network locations
- Restrict application access to registered or managed devices
- Monitor for suspicious authentication patterns, particularly around device registration
"Phishing remains an effective tactic for threat actors to obtain credentials and access identities in the cloud," the researchers noted. "0ktapus exemplifies an actor adept at creating and maintaining high-quality phishing pages at a large scale."
The research also revealed that 0ktapus primarily uses .com and .net top-level domains for their phishing infrastructure, often incorporating terms like "servicenow", "hr", "corp", "dev", "okta", "sso", and "workspace" in their domain names.
For defenders and security researchers, the documented techniques provide valuable methods to uncover future phishing campaigns before attackers can achieve their objectives.
The complete technical analysis is available on the Wiz Research blog, offering detailed indicators and methods for tracking 0ktapus infrastructure.