Researchers discover phishing toolkits specifically engineered for voice-based social engineering attacks—often called “vishing”—that synchronize fake login pages with live phone conversations to defeat multifactor authentication. These custom kits, sold as-a-service to criminals, enable attackers to control what victims see in their browsers while simultaneously coaching them through fraudulent authentication steps over the phone.
The phishing toolkits target major identity providers including Google, Microsoft, Okta and various cryptocurrency platforms. Unlike traditional phishing that relies solely on deceptive emails, these hybrid attacks combine real-time human manipulation with dynamic web interfaces that adapt to each victim’s security setup.
“Once you get into the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering,” Moussa Diallo, threat researcher at Okta Threat Intelligence, said. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.
How the Latest Phishing Toolkits Work
The kits employ client-side scripts allowing attackers to orchestrate authentication flows in victims’ browsers during live calls, researchers at Okta Threat Intelligence found. This real-time control delivers the plausibility criminals need to convince targets to approve push notifications, submit one-time passcodes or take actions that bypass multifactor authentication controls.
Attack sequences typically follow a consistent pattern. Threat actors perform reconnaissance to learn employee names, commonly used applications and IT support phone numbers. They then set customized phishing pages live and call targets while spoofing the company’s actual support number.
Callers convince victims to navigate to phishing sites under pretenses like IT security requirements or account verification. When victims enter credentials, attackers receive them instantly via Telegram. The attacker simultaneously enters these credentials into the legitimate login page to see which multifactor authentication challenges appear.
Here’s where the real-time orchestration becomes devastatingly effective. Attackers update phishing sites on the fly to display pages matching whatever they’re telling victims over the phone. If the legitimate service sends a push notification, the caller verbally warns the victim to expect it while simultaneously commanding their control panel to display a message implying the push was sent legitimately.\
Also read: ‘Unprecedented Scale’ of Credential Stuffing Attacks Observed: Okta
This synchronization provides unprecedented control. The phishing kits Okta analyzed include command-and-control panels showing attackers exactly what victims see, with options to dynamically switch between different authentication scenarios—push notifications, one-time passcodes, backup codes or other challenges.
The toolkits even defeat push notifications with number matching or number challenge verification—security features designed specifically to combat phishing. Because attackers interact directly with victims, they simply ask targets to select or enter specific numbers displayed in the push challenge.
Push with number matching/challenge is not phishing-resistant by definition, as a social engineer interacting on the phone with a targeted user can simply request a user to choose or enter a specific number,” Okta’s threat advisory explained.
Only phishing-resistant authentication methods like FIDO passkeys protect users from these attacks. These technologies cryptographically verify users without transmitting credentials that attackers can intercept or manipulate.
Diallo predicts the industry sits at the beginning of a wave of voice-enabled phishing attacks augmented by real-time session orchestration tools. The expertise required to conduct these social engineering campaigns is itself sold as-a-service, lowering barriers to entry for less technically skilled criminals.
Okta researchers observed newer phishing kits copying the real-time orchestration features from earlier toolkits, with fraudsters selling access to bespoke control panels customized for specific identity providers and cryptocurrency platforms rather than generic kits targeting multiple services.
Earlier kits offered basic credential harvesting across multiple platforms. Current-generation toolkits provide specialized capabilities synchronized specifically to caller scripts, creating seamless fraudulent experiences that closely mimic legitimate authentication flows.
Defenders face no ambiguity about necessary countermeasures. Organizations must enforce phishing-resistant authentication for resource access. Organizations can also frustrate social engineering actors by implementing network zones or tenant access control lists that deny authentication from anonymizing services favored by threat actors. The strategy requires knowing where legitimate requests originate and allowlisting those networks.
Some financial institutions and cryptocurrency exchanges experiment with live caller verification, where users can sign into mobile apps during phone calls to confirm whether they’re speaking with authorized representatives.
The emergence of these synchronized vishing toolkits shows how social engineering continues evolving beyond simple deception into orchestrated attacks combining human manipulation with sophisticated technical infrastructure. Organizations relying on traditional multifactor authentication without phishing resistance face mounting vulnerability to these hybrid threats.
