Question regarding 2021 Common Threats - SSO Attack

Vastattu

Tyler Woodrick

04. jouluk. 2020, 16.12

Greetings, everyone.  I am watching 2021 Common Threats - SSO attack - using Okta SSO as an example...

This module shows a victim receiving an 'Okta App Resync' email with an embedded button in the email.  Upon hovering the button, it shows the link points to URL:  hxxps://okta-target.okta.com.  Upon clicking this button, victim is redirected to hxxps://target-us.okta.group - in which the victim logs in, authenticates with 2fa, and has credentials and session token stolen.

I am guessing that hxxps://target-us.okta.group is the spoofed site that steals the credentials and session key.

Attacker then logs into hxxps://target-us.okta.com/ using the stolen key and is able to hijack the users active session.

Sounds like an MITM attack to me... But I am confused because okta-target subdomain and okta.com domain are legit login sources.

How is this possible to achieve without there being "more to the story" such as URL redirection malware installed on machine or the okta domain was hijacked or something...

Am I missing something here? Any help would be appreciated.  We like to keep a "healthy paranoia" level when it comes to phishing attacks and this module has some employees here very worried about every link now.

 

Thank you

3

• 

  Eric Weston 01. maalisk. 2021, 18.57

  I have the same concerns with this training. It doesn't really explain how the attack is accomplished. What I see happening is employees will now think that even legitimate domains can no longer be trusted which is contrary to other phish trainings in the Knowbe4 library. 

  0

  Kommenttitoiminnot Pysyvä linkki
• 

  Walter Nelson 02. maalisk. 2021, 16.10

  Hi Eric,

  This feedback has been passed along to our course development team for review. Thank you for posting.

  0

  Kommenttitoiminnot Pysyvä linkki
• 

  Josh Rountree 11. maalisk. 2021, 18.26

  I share the same feedback as others, there's definitely something missing here. I'm assuming there was malware already on the computer and that's how the session cookie was stolen?

  0

  Kommenttitoiminnot Pysyvä linkki
• 

  Walter Nelson 15. maalisk. 2021, 16.38

  Hi Josh,

  Thanks for posting I have passed your feedback on as well.

  0

  Kommenttitoiminnot Pysyvä linkki
• 

  Paul Chauvet 13. huhtik. 2021, 14.30

  I agree with the others here - there has to be something missing here (though what's missing could be a gap in my knowledge of course).

  Would love to get an update to this or a further explanation of what Mitnick is doing in that module.

  0

  Kommenttitoiminnot Pysyvä linkki
• 

  Walter Nelson 14. huhtik. 2021, 14.27

  Hi Paul,

  Thanks for posting. I sent your feedback to our course development team who noted that while we would not be re-recording this module we will make sure to have Kevin do a better job of explaining what exactly he is doing in the next 2022 release of this to hopefully give more clarity.

  0

  Kommenttitoiminnot Pysyvä linkki

Kirjaudu sisään jättääksesi kommentin.