Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why did they need to call? They could’ve phished the password and MFA by simply MITMing?

Perhaps we need a distinction from phishable MFA and unphishable U2F/WebAuthn style



> The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.

> The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward.

They needed to have a couple of minutes to set things up from their end, and then ask for the second OTP code. A phone call works well for that.


Ahh, thanks and apologies for not re-reading before asking.

That is indeed interesting; keep the con going a bit longer to get a proper foothold.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: