Key Takeaways:
- Custom voice-phishing kits are being sold on dark web forums and messaging platforms, making it easier for criminals to commit social engineering scams and identity fraud.
- These kits include real-time assistance to help attackers intercept users’ credentials and multi-factor authentication codes.
- The kits can mimic the authentication flows of identity providers and other identity systems used by organizations.
- Attackers can use these kits to bypass push notifications and other forms of multi-factor authentication.
- The attacks often involve a combination of social engineering and targeted ransomware, with a financial motive.
Introduction to Voice-Phishing Kits
Criminals are now using custom voice-phishing kits to commit social engineering scams and identity fraud, thanks to the availability of these kits on dark web forums and messaging platforms. These kits are being sold as a service to a growing number of digital intruders, who are targeting victims’ Google, Microsoft, and Okta accounts. The kits include real-time assistance to help attackers intercept users’ credentials and multi-factor authentication codes. According to Okta Threat Intelligence VP Brett Winterford, there are at least two kits that implement this novel functionality, which allows attackers to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees.
How the Phishing Kits Work
The phishing kits have been developed to closely mimic the authentication flows of identity providers and other identity systems used by organizations. This creates a more compelling pretext for asking the user to share credentials and accept multi-factor authentication challenges. The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees. This type of malicious activity has evolved significantly since late 2025, with some ads for these phishing kits also looking to recruit native English-speaking callers for the scams. These callers pretend to be from an organization’s helpdesk and approach targets using the pretext of resolving a support ticket or performing a mandatory technical update.
The Attack Process
The attack process involves several steps. First, the attacker performs reconnaissance on their targets, learning users’ names, what apps they use, and phone numbers for IT support calls. These details can be found fairly easily on companies’ websites, employees’ LinkedIn pages, and other publicly available sources. The attacker then uses the phishing kit to create a realistic-looking login website, calls the victim using a spoofed support hotline or company phone number, and pretends to be from the company’s help desk to convince the victim to visit the phishing page. The attacks vary from there, depending on the attacker’s motivation and their interactions with the user. If all goes according to plan, the victim enters their username and password into the phishing site, and it’s automatically forwarded to the attacker’s Telegram channel, and the attacker now has valid credentials for the legitimate sign-in page.
Real-Time Assistance and Multi-Factor Authentication
Here’s where real-time assistance comes into play: While the victim is still on the phone, the attacker uses the compromised credentials and attempts to log in to the victim’s account, noting whatever MFA challenges are used and updating the phishing site in real-time. The attacker then asks the victim to enter a one-time password, accept a push notification, or complete a different type of multi-factor authentication (MFA) challenge. The fake page that the victim sees supports this request, thus making the social-engineering scam even more believable. If presented a push notification, for example, an attacker can verbally tell the user to expect a push notification, and select an option from their command-and-control panel that directs their target’s browser to a new page that displays a message implying that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn’t initiate.
Impersonation-as-a-Service
Okta’s research echoes earlier reporting about "impersonation-as-a-service," in which criminals package and sell tools for social engineering and identity fraud using a software-as-a-service-style business model. As a bad actor, you can subscribe to get tools, training, coaching, scripts, exploits, everything in a box to go out and conduct your infiltration operation that often combines these social engineering attacks with targeted ransomware, almost always with a financial motive. This type of attack is becoming increasingly common, and organizations need to be aware of the risks and take steps to protect themselves and their users. By understanding how these attacks work and taking proactive measures to prevent them, organizations can reduce the risk of falling victim to these types of scams.
