- ShinyHunters uses custom vishing and phishing pages to bypass SSO protections
- Stolen MFA codes provide access to platforms like Salesforce, Microsoft 365 and Dropbox
- Other groups imitate the tactics; experts recommend phishing-resistant MFA and Zero Trust defenses
A highly effective combination of vishing (voice phishing) and custom infrastructure has allowed the dreaded extortion gang ShinyHunters to launch countless single sign-on (SSO) scams in recent times, experts have concluded.
A new report from Google’s Mandiant experts has explained the modus operandi behind a wave of SSO attacks that have recently hit businesses across industries, saying it all starts with a phone call.
It revealed that ShinyHunters had perfected the impersonation of IT staff and technical agents, calling employees in different positions and telling them that their MFA settings needed to be updated.
Extort victims
At the same time, they use custom infrastructure: they have created highly modular and customizable phishing landing pages that they can modify in real time. Therefore, if the victim uses Google SSO, they will receive the appropriate landing page, which can then transform depending on the type of MFA used by the employee in question.
When the attacker obtains the login credentials and MFA codes, he logs into the Okta, Entra, or Google SSO dashboard, through which he can choose the type of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters apparently prefer Salesforce, although they won’t pass up another opportunity either.
Finally, after exfiltrating all the stolen data, they will add a sample to their data leak page and contact the victim to try to make them pay.
To stay safe, businesses need to train their employees on the dangers of phishing and educate them on the latest techniques used in such attacks. They should also use phishing-resistant multi-factor authentication (MFA) wherever possible and deploy Zero Trust Network Architecture (ZTNA).
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
