According to the FBI information filed to California federal judge Margo Rocconi by an unidentified FBI agent, the suspects used multiple techniques to trick victims into trusting the phishing links. First, the link appeared to be from the domain of the victim’s employer. Secondly, the attackers leveraged the name of enterprise security vendor, Okta, by adding “-okta.net” to the end of the visible portion of the phishing domain name.
The attackers then reportedly used a domain registry called NameCheap, which dubs itself as offering “private domain registration” and touts, with an element of irony given the customers at issue here, that they allow customers to “stay protected from fraud and identity theft. Your contact details will be hidden from the public Whois database.”
The suspects then used a bogus username (a celebrity name coupled with an offensive term) along with a free email address from Gmail. “These records showed that both phishing domains were registered on June 2, 2022 — the same date that Victim Companies 1, 2, and 3 were targeted in the phishing scheme,” the FBI filing said.