Pulse Detail — Threat Intelligence

PULSE NAME

Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond

WHITE Scattered Spider AlienVault 2024-11-07 Modified: 2024-12-07

223

IOCs

HIGH VOLUME

This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network profiling, and domain registration analysis. The research reveals various DOM templates used by 0ktapus over time and provides insights into their infrastructure and tactics. The article also offers recommendations for prevention and detection of phishing attacks, emphasizing the importance of MFA, SSO, and continuous vigilance in cybersecurity practices.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1583 T1589 T1584 T1586 T1608 T1591 T1606 T1566 T1078 T1585

Indicators of Compromise (223)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	1d05a83a639031913574c0bbb06026a4	—	2024-11-07
FileHash-MD5	586bd54b564926682b75330b190cbace	—	2024-11-07
FileHash-SHA1	9063d16dbc1fb59c9e9e310e4c962fc435c533b9	—	2024-11-07
FileHash-SHA1	c7244fa49afee3ad28e0014ecbf2a4259bfe4f17	—	2024-11-07
FileHash-SHA256	00cc2176062c84db97399bb8761803d15ad1edf4b23eccb74979bb79d2a483ab	—	2024-11-07
FileHash-SHA256	0acb0fc9762e4359f562794011d77317c78f7b68cec08b715d98ed16ba761fac	—	2024-11-07
FileHash-SHA256	0cea1ff596fe9a73f77bcd99ec9c77b69c27408a1b1c1c756300ef3db4c3c41f	—	2024-11-07
FileHash-SHA256	1d55d14c08eb1d61344f19d17f48b81cca3c4a24f54a0ee3707cf59b296db314	—	2024-11-07
FileHash-SHA256	1f28bdadbf55e8c7023c4ac754eb963b776847e2d1826d8cf396b01807185f70	—	2024-11-07
FileHash-SHA256	2d640430ec60721437ca4d5ff64d16cb0d3febce2e206fa749a9f8e007f9a5ae	—	2024-11-07
FileHash-SHA256	3aeba4ab4ed3a5005444f108e6e54bc50c8c02421c1e6cfceab915e1de5cf862	—	2024-11-07
FileHash-SHA256	436831126b5851ba76cd7bedc687ef08538fc639f7cc5e8665488aecfaeaf735	—	2024-11-07
FileHash-SHA256	46e7cf1fb46a73f098fa6f0f46732bdd298af690ec1452fac9b97884ca8b5a39	—	2024-11-07
FileHash-SHA256	4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6	—	2024-11-07
FileHash-SHA256	53bb86ab4f9bf507d1f186b5be98f80960db4243afead96ef8ce6eafb2346587	—	2024-11-07
FileHash-SHA256	5dd491b89daadabfe8419d5d1e436a6dd9b4eea25fc4ba5898e6a1bca34f06e9	—	2024-11-07
FileHash-SHA256	6604762c149476ff2f833b336d5077d2ac349bccacdf70eb86af28105028fbe0	—	2024-11-07
FileHash-SHA256	695bd0671a2d91d7087abb3c314f59cca2b52f05411aca478e208c4648616486	—	2024-11-07
FileHash-SHA256	69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966	—	2024-11-07
FileHash-SHA256	7d7ab8c1e2e469539e0d85d2b2166238c71bfd40ae7a373babf3744fc89a0ef8	—	2024-11-07
FileHash-SHA256	807865ab553996e521995c6624a41e026ef06f5370e1cad6a9647a68f7474798	—	2024-11-07
FileHash-SHA256	8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb	—	2024-11-07
FileHash-SHA256	8683370db6d2b7f5137199f0a6b012fcd09cfff6afb30064a23b3339927ed9c9	—	2024-11-07
FileHash-SHA256	9833c1b277759b26478c88afe74680d5fbf3efff535dd803b1a3ebe4e7b8d466	—	2024-11-07
FileHash-SHA256	9fea58b71ce27a360735a0ebe4badb2f0e1d17ed1b4baa229a568aec987c802c	—	2024-11-07
FileHash-SHA256	a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616	—	2024-11-07
FileHash-SHA256	a23a15cf02ff5bfdf1b51335af4b91ca96c436781b9791280ab8c470643d07d7	—	2024-11-07
FileHash-SHA256	ab9f02f9eae92f52c983e18dafa2142203afe96a4f4a2390e061812989186e77	—	2024-11-07
FileHash-SHA256	af1ddeab240bc7321e8c3dfc400ac8273e03af1ce0da9ed73e47570189795e4c	—	2024-11-07
FileHash-SHA256	c05d6607585f882476b6b7c9a39fd0bd2bb7ced3e469d5312971971048e2c594	—	2024-11-07
FileHash-SHA256	c1e6d17cdae38320041149688fdab35409c2d466319873f33390b801b130dae4	—	2024-11-07
FileHash-SHA256	c8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2	—	2024-11-07
FileHash-SHA256	ce91909e4a421b6377468d22c6d68438da717c300a1b1326177aab3d01b5abee	—	2024-11-07
FileHash-SHA256	d03ce20518692e3c2adc3f578ba92cab5e19f014664438b729d431a24be1823f	—	2024-11-07
FileHash-SHA256	d6cbc900942061d85477bda4dbfd7f77d823e8c08ebe80e1f9ff10bec20b5172	—	2024-11-07
FileHash-SHA256	dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727	—	2024-11-07
FileHash-SHA256	e534b01f04ad4721f7cde5e173a1098ae537d0f84a30d908d0eddae6a2fc4514	—	2024-11-07
FileHash-SHA256	f8b7bb31e7e8c574d74e52eba7dcf3de48c7f5fa6d39d64685d39355d688defb	—	2024-11-07
domain	account-sendgrid.com	—	2024-11-07
domain	activecampaign-hr.com	—	2024-11-07
domain	activecampaignhr.com	—	2024-11-07
domain	activecampainhr.com	—	2024-11-07
domain	acwa-apple.com	—	2024-11-07
domain	acwa-internal.com	—	2024-11-07
domain	adasupport-okta.com	—	2024-11-07
domain	alchemy-okta.com	—	2024-11-07
domain	ally-hr.com	—	2024-11-07
domain	amica-hr.com	—	2024-11-07
domain	apple-vpn.com	—	2024-11-07
domain	auth-alchemy.com	—	2024-11-07
domain	binance-sso.com	—	2024-11-07
domain	binance-us-okta.com	—	2024-11-07
domain	block-hr.com	—	2024-11-07
domain	block-sso.com	—	2024-11-07
domain	calendar-dd.com	—	2024-11-07
domain	cashsso.com	—	2024-11-07
domain	cellularsaies.com	—	2024-11-07
domain	cinfin-hr.com	—	2024-11-07
domain	clicksend-staging.com	—	2024-11-07
domain	commonspiritcorp-okta.com	—	2024-11-07
domain	concentrix-servicedesk.com	—	2024-11-07
domain	condenast-hub-okta-emea.com	—	2024-11-07
domain	connect-asurion.net	—	2024-11-07
domain	consensys-okta.com	—	2024-11-07
domain	contact-sendgrid.com	—	2024-11-07
domain	corescientific-okta.com	—	2024-11-07
domain	corp-cox.com	—	2024-11-07
domain	corp-foundever.com	—	2024-11-07
domain	corp-foundever.net	—	2024-11-07
domain	corporate-ally.com	—	2024-11-07
domain	corporate-huntington.com	—	2024-11-07
domain	dashboard-mailgun.com	—	2024-11-07
domain	docusign-okta.com	—	2024-11-07
domain	docusignhq.net	—	2024-11-07
domain	epic-servicedesk.com	—	2024-11-07
domain	expediagroup-servicenow.com	—	2024-11-07
domain	fico-servicenow.com	—	2024-11-07
domain	five9-hr.com	—	2024-11-07
domain	forward-icloud.com	—	2024-11-07
domain	foundever-sso.com	—	2024-11-07
domain	galaxy-okta.com	—	2024-11-07
domain	gd-okta.com	—	2024-11-07
domain	gemini-sso.com	—	2024-11-07
domain	gofundme-okta.com	—	2024-11-07
domain	grayscale-okta.com	—	2024-11-07
domain	grid-review.com	—	2024-11-07
domain	grubhub-support.com	—	2024-11-07
domain	grubhubsso.com	—	2024-11-07
domain	hanover-hr.com	—	2024-11-07
domain	hr-gnc.com	—	2024-11-07
domain	ibexgiobal.com	—	2024-11-07
domain	intercom-hr.com	—	2024-11-07
domain	intercom-okta.com	—	2024-11-07
domain	intercomsso.net	—	2024-11-07
domain	itbit-okta.com	—	2024-11-07
domain	jacksonhewitt-service.com	—	2024-11-07
domain	klav-workday.com	—	2024-11-07
domain	klaviyo-hr.com	—	2024-11-07
domain	klaviyo-vpn.com	—	2024-11-07
domain	klaviyocorp.net	—	2024-11-07
domain	louisvuitton-okta.com	—	2024-11-07
domain	luno-okta.com	—	2024-11-07
domain	manageactivity-sendgrid.com	—	2024-11-07
domain	markel-hr.com	—	2024-11-07
domain	mcointernal-okta.com	—	2024-11-07
domain	mercury-hr.com	—	2024-11-07
domain	mgmresorts-okta.com	—	2024-11-07
domain	mixpanel-okta.com	—	2024-11-07
domain	mutualofomaha-hr.com	—	2024-11-07
domain	newyorklifehr.com	—	2024-11-07
domain	nfp-hr.com	—	2024-11-07
domain	nike-support.com	—	2024-11-07
domain	okta-blockdaemon.com	—	2024-11-07
domain	okta-campaignmonitor.com	—	2024-11-07
domain	okta-cbhq.net	—	2024-11-07
domain	okta-gamestop.com	—	2024-11-07
domain	okta-intercom.com	—	2024-11-07
domain	okta-nydig.com	—	2024-11-07
domain	okta-onsolve.com	—	2024-11-07
domain	okta-ouryahoo.com	—	2024-11-07
domain	okta-ripple.com	—	2024-11-07
domain	okta-twilio.com	—	2024-11-07
domain	okta-verify.com	—	2024-11-07
domain	onsolve-okta.com	—	2024-11-07
domain	ouryahoo-okta.com	—	2024-11-07
domain	ouryahoo-okta.net	—	2024-11-07
domain	ouryahoo-okta.org	—	2024-11-07
domain	paxos-okta.com	—	2024-11-07
domain	pfchangs-support.com	—	2024-11-07
domain	podium-hr.com	—	2024-11-07
domain	prntsrc.net	—	2024-11-07
domain	rbx-corp.com	—	2024-11-07
domain	rbx-hr.com	—	2024-11-07
domain	rbx-servicedesk.com	—	2024-11-07
domain	rbxhr.net	—	2024-11-07
domain	rejectauth-sendgrid.com	—	2024-11-07
domain	resolveservicedesk.com	—	2024-11-07
domain	review-mailgun.com	—	2024-11-07
domain	revolut-ticket.com	—	2024-11-07
domain	ripple-okta.com	—	2024-11-07
domain	robinhood-servicedesk.com	—	2024-11-07
domain	roblox-hrs.com	—	2024-11-07
domain	sendgrid-account.com	—	2024-11-07
domain	sendgrid-overview.com	—	2024-11-07
domain	servicenowprod.com	—	2024-11-07
domain	sessions-sendgrid.com	—	2024-11-07
domain	settings-okta.com	—	2024-11-07
domain	sharing-folders.com	—	2024-11-07
domain	snapchat-okta.com	—	2024-11-07
domain	squarespace-hr.com	—	2024-11-07
domain	squarespace-okta.com	—	2024-11-07
domain	squarespacehr.com	—	2024-11-07
domain	sso-falconx.com	—	2024-11-07
domain	sso-klaviyo.com	—	2024-11-07
domain	stargate-okta.com	—	2024-11-07
domain	stargate-sso.com	—	2024-11-07
domain	stargatesso-gemini.com	—	2024-11-07
domain	stargatesso.com	—	2024-11-07
domain	storewatch-tmobile.com	—	2024-11-07
domain	sunrise-crypto.com	—	2024-11-07
domain	supporthub-iqor.com	—	2024-11-07
domain	sync-apple.com	—	2024-11-07
domain	t-mobiie.net	—	2024-11-07
domain	t-mobile-okta.com	—	2024-11-07
domain	teleperformance-incident.com	—	2024-11-07
domain	telesignhr.com	—	2024-11-07
domain	telint-helpdesk.com	—	2024-11-07
domain	thrivent-hr.com	—	2024-11-07
domain	transamerica-hr.com	—	2024-11-07
domain	twillio-sendgrid.com	—	2024-11-07
domain	twitter-okta.com	—	2024-11-07
domain	typeform-okta.com	—	2024-11-07
domain	ultahub.com	—	2024-11-07
domain	ultainternal.com	—	2024-11-07
domain	unchainedprod-okta.com	—	2024-11-07
domain	unumhr.com	—	2024-11-07
domain	uscc-hr.com	—	2024-11-07
domain	uscellular-sso.com	—	2024-11-07
domain	verify-mailgun.com	—	2024-11-07
domain	verify-tmobile.com	—	2024-11-07
domain	vzapps-vzn.com	—	2024-11-07
domain	xapo-okta.com	—	2024-11-07
domain	zendesk-servicedesk.com	—	2024-11-07
domain	ziffdavis-okta.com	—	2024-11-07
hostname	account.kemper-support.com	—	2024-11-07
hostname	account.klaviyo-hr.com	—	2024-11-07
hostname	account.securian-hr.com	—	2024-11-07
hostname	login.ally-hr.com	—	2024-11-07
hostname	login.block-hr.com	—	2024-11-07
hostname	login.corporate-ally.com	—	2024-11-07
hostname	login.corporate-pnc.com	—	2024-11-07
hostname	login.doordash-support.com	—	2024-11-07
hostname	login.five9-hr.com	—	2024-11-07
hostname	login.grubhub-support.com	—	2024-11-07
hostname	login.hr-intercom.com	—	2024-11-07
hostname	login.klaviyo-hr.com	—	2024-11-07
hostname	login.nfp-hr.com	—	2024-11-07
hostname	login.rbx-hr.com	—	2024-11-07
hostname	login.realogy-hr.com	—	2024-11-07
hostname	login.securian-hr.com	—	2024-11-07
hostname	login.servicenow-help.com	—	2024-11-07
hostname	login.suniife.com	—	2024-11-07
hostname	login.synchronyfinanciai.com	—	2024-11-07
hostname	login.thrivent-hr.com	—	2024-11-07
hostname	login.transamerica-hr.com	—	2024-11-07
hostname	login.unum-hr.com	—	2024-11-07
hostname	login.unumhr.com	—	2024-11-07
hostname	login.uscc-hr.com	—	2024-11-07
hostname	louisvuitton.okta-lv.com	—	2024-11-07
hostname	okta.cellularsaies.com	—	2024-11-07
hostname	ouryahoo.okta.com.shortid.support	—	2024-11-07
hostname	ping.taskus-sso.com	—	2024-11-07
hostname	rbx.okta.bio	—	2024-11-07
hostname	sso.ibexgiobal.com	—	2024-11-07
hostname	tickets.zapto.org	—	2024-11-07
hostname	www.authenticate-bt.com	—	2024-11-07
hostname	www.dashsso.com	—	2024-11-07
FileHash-SHA256	95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b	—	2024-11-07
FileHash-SHA256	98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61	—	2024-11-07
FileHash-SHA256	fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1	—	2024-11-07
domain	att-mfa.com	—	2024-11-07
domain	mailgun-okta.com	—	2024-11-07
hostname	ns3.my-ndns.com	—	2024-11-07

References (1)

↗ https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains