- ShinyHunters uses vishing and custom phishing pages to bypass SSO protection
- Stolen MFA codes provide access to platforms such as Salesforce, Microsoft 365 and Dropbox
- Other groups mimic tactics; experts call for phishing-resistant MFA and Zero Trust defenses
A highly effective combination of vishing (voice phishing) and customized infrastructure has enabled the dreaded ShinyHunter extortion gang to launch countless single sign-on (SSO) scams in recent times, experts have concluded.
A new report from Google’s Mandiant experts has explained the modus operandi behind a wave of SSO attacks hitting businesses across industries recently, saying it all starts with a phone call.
It found that ShinyHunters have perfected impersonating IT staff and technical operators, calling employees in various positions and telling them that their MFA settings need to be updated.
Blackmailing the victims
At the same time, they use custom infrastructure: they have created highly modular, customizable phishing landing pages that they can adjust in real time. Therefore, if the victim uses Google SSO, they will get the appropriate landing page, which can then be transformed depending on the type of MFA that employee is using.
Once the attacker gets the login credentials and MFA codes, they log into either the Okta, Entra, or Google SSO dashboard, through which they can pick and choose what kind of data they want to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters apparently prefer Salesforce, although they won’t miss another opportunity either.
Finally, after exfiltrating all the stolen data, they will add a sample to their data leak page and contact the victim in an attempt to make them pay.
To stay safe, companies should train their employees on the dangers of phishing and educate them on the latest techniques used in such attacks. They should also use phishing-resistant multi-factor authentication (MFA) where possible and implement Zero Trust Network Architecture (ZTNA).
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
