Friday, January 23, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Crims hit the easy button for Scattered-Spider style helpdesk scams

TH Author

Criminals can more easily pull off social engineering scams and other forms of identity fraud thanks to custom voice-phishing kits being sold on dark web forums and messaging platforms.

These kits are sold as a service to “a growing number” of digital intruders targeting victims’ Google, Microsoft, and Okta accounts, and they include real-time assistance to miscreants looking to intercept users’ credentials and multi-factor authentication codes, according to a Thursday Okta Threat Intelligence blog.

“There are at least two kits that implement the novel functionality observed,” Okta Threat Intelligence VP Brett Winterford told The Register

“The phishing kits have been developed to closely mimic the authentication flows of identity providers and other identity systems used by organizations,” he said. “The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees. This creates a more compelling pretext for asking the user to share credentials and accept multi-factor authentication challenges.”

This type of malicious activity has “evolved significantly since late 2025,” according to Winterford, who added that some ads for these phishing kits also look to recruit native English-speaking callers for the scams.

“These callers pretend to be from an organization’s helpdesk and approach targets using the pretext of resolving a support ticket or performing a mandatory technical update,” Winterford said.

Last year, these types of Scattered Spider-like IT support call scams helped criminals gain access to dozens of companies’ Salesforce instances for large-scale data theft and extortion.

How the attacks work

Here’s how the attacks play out:

First, the attacker performs reconnaissance on their targets, learning users’ names, what apps they use, and phone numbers for IT support calls. These details can be found fairly easily on companies’ websites, employees’ LinkedIn pages, and other publicly available sources. Asking a chatbot to research potential targets makes recon even easier, and a lot faster.

The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees

Next, the attacker uses the phishing kit to create a realistic looking login website, calls the victim using a spoofed support hotline or company phone number, and pretends to be from the company’s help desk to convince the victim to visit the phishing page. “The attacks vary from there, depending on the attacker’s motivation and their interactions with the user,” Winterford said.

If all goes according to plan, the victim enters their username and password into the phishing site, and it’s automatically forwarded to the attacker’s Telegram channel, and the attacker now has valid credentials for the legitimate sign-in page.

Here’s where real-time assistance comes into play: While the victim is still on the phone, the attacker uses the compromised credentials and attempts to log in to the victim’s account, noting whatever MFA challenges are used and updating the phishing site in real-time. 

The attacker then asks the victim to enter a one-time password, accept a push notification, or complete a different type of multi-factor authentication (MFA) challenge. The fake page that the victim sees supports this request, thus making the social-engineering scam even more believable.

“If presented a push notification (type of MFA challenge), for example, an attacker can verbally tell the user to expect a push notification, and select an option from their [command-and-control] panel that directs their target’s browser to a new page that displays a message implying that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn’t initiate,” the report says.

Plus, according to Okta, these kits can help attackers bypass push notifications that use number-matching challenges as a second form of verification and simply tell the targeted user to enter a specific number.

Either way, it’s game over for the user and the attacker now has full control over the compromised account.

Okta’s research echoes The Register‘s earlier reporting about “impersonation-as-a-service,” in which criminals package and sell tools for social engineering and identity fraud using a software-as-a-service-style business model.

“As a bad actor you can subscribe to get tools, training, coaching, scripts, exploits, everything in a box to go out and conduct your infiltration operation that often combine[s] these social engineering attacks with targeted ransomware, almost always with a financial motive,” security shop Nametag CEO Aaron Painter told us in an earlier interview. ®

READ MORE HERE