A new wave of sophisticated social engineering attacks is emerging, where criminals use custom-built phishing kits sold as a service to conduct convincing IT support call scams. These tools automate the creation of fake login pages and provide real-time assistance to attackers, making it easier to bypass multi-factor authentication and steal credentials for major platforms like Google, Microsoft, and Okta.
Cybercriminals are increasingly turning to a streamlined, service-based model to execute social engineering attacks, particularly those mimicking IT helpdesk support calls. According to a recent threat intelligence report from Okta, custom voice-phishing kits are being sold on dark web forums and messaging platforms, providing a low-barrier entry point for a growing number of digital intruders targeting enterprise accounts.
These kits are not just simple phishing templates. They are sophisticated tools designed to closely mimic the authentication flows of major identity providers and other corporate identity systems. The core innovation is their real-time interactivity. "The phishing kits have been developed to closely mimic the authentication flows of identity providers and other identity systems used by organizations," explained Brett Winterford, VP of Okta Threat Intelligence. "The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees."
This functionality creates a more compelling pretext for attackers to request credentials and multi-factor authentication (MFA) codes from victims. The attack chain typically begins with reconnaissance. Attackers harvest target information—names, job titles, phone numbers—from public sources like company websites and LinkedIn profiles. The use of AI chatbots has made this research phase faster and more efficient.
Armed with this data, the attacker uses the phishing kit to generate a convincing replica of a legitimate login portal. They then call the victim, spoofing the organization's official IT support number, and use a fabricated support ticket or mandatory update as a pretext to direct the user to the fake site.
Here is where the real-time assistance feature becomes critical. Once the victim enters their username and password, the credentials are instantly relayed to the attacker, often via a Telegram channel. The attacker then immediately attempts to log in to the legitimate service using those credentials. The phishing kit dynamically updates the fake page based on the MFA challenges presented by the real service.
For example, if the legitimate login process triggers a push notification to the user's phone, the attacker can verbally instruct the victim to expect a push. Simultaneously, they select an option in their command-and-control panel, which changes the victim's browser view to a page displaying a message confirming the push was sent. This lends plausibility to an otherwise suspicious request. The same technique can be used to bypass number-matching MFA challenges by simply telling the user which number to enter.
This evolution of phishing has accelerated since late 2025. Some kits even include recruitment services for native English-speaking callers to enhance the social engineering aspect of the scam. This model of "impersonation-as-a-service" packages tools, training, and scripts into a subscription, lowering the technical skill required to conduct high-impact attacks.
The consequences of these scams are severe. Last year, similar IT support call scams, often attributed to groups like Scattered Spider, were used to gain unauthorized access to dozens of companies' Salesforce instances, leading to large-scale data theft and extortion. The ease with which these kits are now available suggests such attacks will become more frequent and harder to detect.
For organizations, this underscores the need for robust security awareness training that specifically addresses social engineering tactics. Employees should be trained to verify any unsolicited IT support contact through official channels and to be skeptical of requests to enter MFA codes they did not initiate. Technical controls, such as implementing phishing-resistant MFA methods like FIDO2 security keys, can also provide a critical layer of defense against these sophisticated attacks.
The rise of these kits highlights a broader trend in cybercrime: the professionalization and commoditization of attack tools. As threat actors continue to refine their methods, the line between a targeted attack and a mass-market scam blurs, making it essential for security teams to stay informed about the latest tactics and adapt their defenses accordingly.
Comments
Please log in or register to join the discussion