Jan 23
/
Latest News
Okta Exposes New "Vishing" Kits That Hijack Browsers in Real-Time
Okta Threat Intelligence has uncovered a new generation of custom phishing kits specifically engineered to support voice-based social engineering, or "vishing," campaigns. These tools, now sold on an "as-a-service" basis, empower attackers to orchestrate a victim's web browser session in real-time, effectively bypassing standard Multi-Factor Authentication (MFA) protections targeting major platforms like Google, Microsoft, and Okta.
These newly analyzed kits represent a significant evolution in cybercrime tooling, moving beyond static phishing pages to dynamic, interactive interfaces designed to synchronize perfectly with a fraudster’s phone script. According to Okta's analysis, the kits are increasingly being adopted by intrusion actors targeting cryptocurrency providers and corporate identity systems. The core innovation lies in "session orchestration," a feature that allows the attacker—who is speaking to the victim on the phone—to manually control what the victim sees in their browser. This capability bridges the gap between the attacker obtaining a password and successfully defeating the subsequent MFA challenge. Moussa Diallo, a threat researcher at Okta Threat Intelligence, noted that once an attacker is in the "driver's seat" of these tools, they can manipulate the authentication flow to match whatever legitimate challenges the system presents, creating a veneer of plausibility that is difficult for users to question.
The attack lifecycle typically begins with reconnaissance, followed by a phone call where the threat actor spoofs a corporate support number. Once the victim is convinced to visit a fraudulent support site, the phishing kit captures their credentials and forwards them to the attacker via Telegram. Crucially, as the attacker attempts to log in to the legitimate service and encounters an MFA prompt, they can instantly update the victim's phishing page to request that specific verification—whether it be a one-time passcode or a push notification. The analysis highlights that even push notifications with number matching, often considered more secure, are vulnerable to this method because the attacker can simply verbally instruct the victim to select the correct number. Diallo warns that this is just the beginning of a wave of voice-enabled phishing, with expertise and bespoke panels now being commoditized and sold to a wider range of criminals.
To combat this rising threat, Okta emphasizes that standard MFA methods are no longer sufficient against determined human adversaries equipped with these tools. The primary recommendation for defenders is the enforcement of phishing-resistant authentication methods, such as Okta FastPass or FIDO passkeys, which rely on cryptographic proof rather than user input. Additionally, security teams are advised to implement strict network zoning and allowlisting to block traffic from anonymizing services frequently used by threat actors. Some financial institutions are also beginning to experiment with "live caller checks," allowing users to verify the identity of a support agent through their mobile app, adding a layer of trust that bypasses the phone network entirely.
These newly analyzed kits represent a significant evolution in cybercrime tooling, moving beyond static phishing pages to dynamic, interactive interfaces designed to synchronize perfectly with a fraudster’s phone script. According to Okta's analysis, the kits are increasingly being adopted by intrusion actors targeting cryptocurrency providers and corporate identity systems. The core innovation lies in "session orchestration," a feature that allows the attacker—who is speaking to the victim on the phone—to manually control what the victim sees in their browser. This capability bridges the gap between the attacker obtaining a password and successfully defeating the subsequent MFA challenge. Moussa Diallo, a threat researcher at Okta Threat Intelligence, noted that once an attacker is in the "driver's seat" of these tools, they can manipulate the authentication flow to match whatever legitimate challenges the system presents, creating a veneer of plausibility that is difficult for users to question.
The attack lifecycle typically begins with reconnaissance, followed by a phone call where the threat actor spoofs a corporate support number. Once the victim is convinced to visit a fraudulent support site, the phishing kit captures their credentials and forwards them to the attacker via Telegram. Crucially, as the attacker attempts to log in to the legitimate service and encounters an MFA prompt, they can instantly update the victim's phishing page to request that specific verification—whether it be a one-time passcode or a push notification. The analysis highlights that even push notifications with number matching, often considered more secure, are vulnerable to this method because the attacker can simply verbally instruct the victim to select the correct number. Diallo warns that this is just the beginning of a wave of voice-enabled phishing, with expertise and bespoke panels now being commoditized and sold to a wider range of criminals.
To combat this rising threat, Okta emphasizes that standard MFA methods are no longer sufficient against determined human adversaries equipped with these tools. The primary recommendation for defenders is the enforcement of phishing-resistant authentication methods, such as Okta FastPass or FIDO passkeys, which rely on cryptographic proof rather than user input. Additionally, security teams are advised to implement strict network zoning and allowlisting to block traffic from anonymizing services frequently used by threat actors. Some financial institutions are also beginning to experiment with "live caller checks," allowing users to verify the identity of a support agent through their mobile app, adding a layer of trust that bypasses the phone network entirely.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.