Question regarding 2021 Common Threats - SSO Attack

Answered

Tyler Woodrick

December 04, 2020 16:12

Greetings, everyone.  I am watching 2021 Common Threats - SSO attack - using Okta SSO as an example...

This module shows a victim receiving an 'Okta App Resync' email with an embedded button in the email.  Upon hovering the button, it shows the link points to URL:  hxxps://okta-target.okta.com.  Upon clicking this button, victim is redirected to hxxps://target-us.okta.group - in which the victim logs in, authenticates with 2fa, and has credentials and session token stolen.

I am guessing that hxxps://target-us.okta.group is the spoofed site that steals the credentials and session key.

Attacker then logs into hxxps://target-us.okta.com/ using the stolen key and is able to hijack the users active session.

Sounds like an MITM attack to me... But I am confused because okta-target subdomain and okta.com domain are legit login sources.

How is this possible to achieve without there being "more to the story" such as URL redirection malware installed on machine or the okta domain was hijacked or something...

Am I missing something here? Any help would be appreciated.  We like to keep a "healthy paranoia" level when it comes to phishing attacks and this module has some employees here very worried about every link now.

 

Thank you

3

• 

  Eric Weston March 01, 2021 18:57

  I have the same concerns with this training. It doesn't really explain how the attack is accomplished. What I see happening is employees will now think that even legitimate domains can no longer be trusted which is contrary to other phish trainings in the Knowbe4 library. 

  0

  Comment actions Permalink
• 

  Walter Nelson March 02, 2021 16:10

  Hi Eric,

  This feedback has been passed along to our course development team for review. Thank you for posting.

  0

  Comment actions Permalink
• 

  Josh Rountree March 11, 2021 18:26

  I share the same feedback as others, there's definitely something missing here. I'm assuming there was malware already on the computer and that's how the session cookie was stolen?

  0

  Comment actions Permalink
• 

  Walter Nelson March 15, 2021 16:38

  Hi Josh,

  Thanks for posting I have passed your feedback on as well.

  0

  Comment actions Permalink
• 

  Paul Chauvet April 13, 2021 14:30

  I agree with the others here - there has to be something missing here (though what's missing could be a gap in my knowledge of course).

  Would love to get an update to this or a further explanation of what Mitnick is doing in that module.

  0

  Comment actions Permalink
• 

  Walter Nelson April 14, 2021 14:27

  Hi Paul,

  Thanks for posting. I sent your feedback to our course development team who noted that while we would not be re-recording this module we will make sure to have Kevin do a better job of explaining what exactly he is doing in the next 2022 release of this to hopefully give more clarity.

  0

  Comment actions Permalink

Please sign in to leave a comment.