Vishing on Okta: Why Your SSO is Vulnerable Without a Human Risk Management (HRM) Strategy

Attackers like ShinyHunters use advanced vishing kits and AiTM techniques to breach Okta SSO environments. Non-phishing-resistant Multi-Factor Authentication (MFA) is useless against social engineering targeting helpdesks. Mitigating this risk requires Human Risk Management (HRM), transforming vulnerability into organizational resilience.

Anatomy of the Attack: Vishing-assisted AiTM

Vishing-assisted AiTM is a social engineering technique where the attacker intercepts a collaborator's session through voice calls to breach the SSO. In this scenario, the attacker acts as an active intermediary between the collaborator and the legitimate service. Groups like ShinyHunters have already compromised organizations such as Betterment and Crunchbase using these social engineering techniques.

The steps identified in these campaigns targeting the Fintech and asset management sectors include:

• Reconnaissance: Identification of applications in use and real corporate technical support phone numbers.
• Helpdesk Impersonation: Voice calls simulating IT personnel. They use the ironic pretext of "helping the user set up their Passkeys" to capture their real credentials.
• "Phishing-as-a-service" Kits: Use of Socket.IO-based infrastructure for real-time data relay. Command and Control (C2) panels notify attackers via Telegram.
• Live Intervention: Through client-side scripting, the attacker can "screen share" on the victim's browser. This visually synchronizes the legitimate Multi-Factor Authentication (MFA) challenge with the fraudulent page.

The Technical Security Fallacy: Why Traditional MFA Fails

Multi-Factor Authentication (MFA) based on push notifications or number matching does not stop an attacker guiding the user by phone. The attacker simply instructs the collaborator on which number to enter or which notification to accept while the phishing kit replicates the interface.

This process exacerbates the "MFA fatigue" phenomenon. The user, pressured by the supposed urgency of technical support, relaxes their critical judgment. The live manipulation nullifies traditional computer security defenses, demonstrating that the human factor is the critical point of failure.

To delve deeper into these voice threats, see: Vishing & Deepfake Voice: The Definitive Guide.

Legal and Directive Responsibility: The Impact of NIS2

The success of these attacks demonstrates a lack of proportionate technical and organizational measures. Under Art. 21 of the NIS2 directive, the regulation obliges you as a director to be directly responsible for cybersecurity risk management in your organization.

Ignoring the control of human risk is not a legal option. Lack of diligence against social engineering can lead to severe penalties and personal liability for senior management. Resilience is not just a technical goal; it is a legal imperative for the C-suite.

More information on NIS2 and liability: NIS2 and the C-suite: the CEO's personal liability.

Human Risk Management (HRM): Building the Human Firewall

Human Risk Management (HRM) is the necessary evolution beyond static training. Kymatio transforms your collaborators into a Human Firewall by simulating realistic vishing attacks. These tools specifically train the ability to detect fraudulent calls.

Preventing a single incident of this type fully justifies the ROSI (Return on Security Investment). A compromised access to your SSO allows critical data to be exfiltrated from platforms like Salesforce or multi-million dollar extortion demands to be executed. HRM protects your financial capital and corporate reputation.‍

Conclusion and Strategic Recommendations

To secure your identity infrastructure and comply with NIS2 standards, implement these immediate actions:

1. Migrate to phishing-resistant methods: Adopt device-based and cryptographic authenticators such as FIDO2, Passkeys, or Okta FastPass to eliminate reliance on manual codes.
2. Train with vishing simulations: Subject your support teams and high-visibility users to voice attack simulation exercises that replicate the tactics of groups like ShinyHunters.
3. Restrict anonymization infrastructures: Establish network zones and access control lists in your SSO to block login attempts from suspicious proxies or networks.

Is your organization prepared to resist a vishing attack directed at its SSO? Evaluate your human risk level with Kymatio today and ensure your business continuity.