0
0
Cybercriminals are raising the stakes in phone‑based fraud by deploying increasingly sophisticated phishing kits that adapt in real time to what victims say on the phone. Security researchers warn that these tailored tools don’t just steal login credentials—they can bypass multi‑factor authentication (MFA) and manipulate victims with unprecedented precision.
Phishing Kits Supercharge Phone Scams
Experts at Okta Threat Intelligence have analyzed a series of phishing kits designed specifically for phone‑based social engineering. These tools allow scammers—who typically pose as IT support or official service staff—to guide victims to a fake login page while staying on the phone. Behind the scenes, the phishing kit mirrors the victim’s actions and dynamically adjusts the fraudulent website to match the ongoing conversation.
Here’s how it works:
- As soon as a victim enters a username and password, the kit forwards the data instantly to the attacker.
- The attacker attempts to log in to the real service and sees which MFA challenge appears.
- The phishing page is then modified in real time to mimic that exact MFA request.
If the victim receives a push notification, the scammer urges them to approve it. Even number‑matching push prompts can be exploited—victims simply type the displayed code into the fake site, handing it directly to the attacker.
Why Traditional Verification Is No Longer Enough
“This real‑time session orchestration gives social engineers a new level of control and visibility,” Okta’s analysts explain. Attackers know exactly which applications a victim uses and often impersonate internal IT departments or official support lines. They spoof phone numbers, create urgency, and pressure victims into acting quickly.
Because the phishing kits can replicate MFA prompts so convincingly, classic verification steps—like checking for a login request—are no longer reliable safeguards.
How to Protect Yourself
Experts recommend switching to phishing‑resistant authentication methods such as passkeys or hardware‑based security keys. These technologies bind the login process to a specific device or cryptographic proof, making them far harder to manipulate through a phone call.
Additional precautions include:
- Treating unexpected support calls with skepticism
- Never sharing login credentials or MFA codes over the phone
- Accessing login pages only through official websites, not links provided during a call
For organizations, Okta advises implementing strict network access rules and allowing only verified, trusted connections to reduce the attack surface.
- source: futurezone.com/picture:
