You receive a call from IT support about a critical security issue affecting your account. The caller ID matches your company's number. They urgently instruct you to log in to verify your identity-and while you type your password, they see every move and control what's on your screen in real time.
Here's what makes this threat different from what we have seen in the past. Attackers aren't just sending you a fake login page and hoping you'll enter your credentials. They're calling you, pretending to be IT support, while simultaneously controlling a customized phishing site that synchronizes with everything they're telling you over the phone.
The attack follows a predictable pattern. Criminals research your company-learning employee names, commonly used applications, and IT support phone numbers. They spoof your company's real phone number when they call. Then they convince you to visit their phishing site under pretenses like "mandatory security verification" or "account authentication required."
As you enter your username and password, the attacker receives them instantly via Telegram, an encrypted messaging app. But here's where it gets sophisticated. The attacker simultaneously enters your credentials into the real login page to see exactly what multifactor authentication challenge-such as a push notification (an alert sent to your phone asking for approval), a one-time code (a code sent to your device), backup codes, or number matching (requiring you to select a specific number)-your company's system sends.
Now comes the synchronized deception. The attacker updates their fake website in real time to display pages that match whatever they're telling you over the phone. If your company sends you a push notification, the caller warns you to expect it, while the control panel displays a message that makes the push appear legitimate.
Think about this: You're on the phone with someone claiming to be IT support, giving you clear instructions to act now, while at the same moment, they are controlling your browser-making everything feel urgent and legitimate as they guide you deeper into the attack.
Even advanced multifactor authentication with number matching is no defense here. The attacker is right there, actively directing you to input or select specific numbers. The pressure makes it hard to second-guess.
Only phishing-resistant authentication methods, such as FIDO2 passkeys-which use cryptographic protocols to verify your identity without sending passwords-protect against these attacks. These technologies verify you without transmitting credentials that attackers can intercept or manipulate during a live conversation.
Security researchers at Okta discovered that these toolkits are sold as a service to criminals, lowering the barrier to entry for less technically skilled attackers. The expertise required to conduct these social engineering campaigns is packaged and sold, making these attacks increasingly common.
Takeaways
- Verify through official channels first: If IT support calls unexpectedly, hang up and call them back through your company's official support number. Never proceed with authentication based on an inbound call, even if the caller ID looks legitimate.
- Never navigate to websites based on phone instructions: Real IT support will create tickets you can reference and verify. They won't ask you to visit specific URLs during unsolicited calls.
- Question authentication requests over the phone: Legitimate IT support will never ask you to approve push notifications, enter verification codes, or complete authentication steps while they're on the line with you.
- Enable phishing-resistant authentication: Where available, use FIDO2 security keys or passkeys instead of traditional multifactor authentication for your most critical accounts.
- Remember the core principle: If someone calls you and asks you to log into anything, that's your signal to stop, verify their identity through independent channels, and never proceed based solely on their instructions.
What actually stops this attack? Hanging up instantly and calling IT back at the verified support number. Attackers win only if you remain on the phone and act under their direction.
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------