- ShinyHunters uses vishing and custom phishing pages to bypass SSO protections
- Stolen MFA codes grant access to platforms like Salesforce, Microsoft 365, and Dropbox
- Other groups imitate tactics; Experts urge phishing-resistant MFA and Zero Trust defenses
A highly effective combination of vishing (voice phishing) and custom infrastructure has allowed the feared extortion gang ShinyHunters to launch countless single sign-on (SSO) scams in recent times, experts concluded.
A new report from Google’s Mandiant experts has explained the modus operandi behind a wave of SSO attacks that hit businesses across industries recently, saying it all starts with a phone call.
It found that ShinyHunters has perfected the imitation of IT staff and technology operators, calling employees in different positions and telling them that their MFA settings need to be updated.
Extort victims
At the same time, they use a customized infrastructure: they have created highly modular and customizable phishing landing pages that they can modify in real time. Therefore, if the victim uses Google SSO, they will be provided with the appropriate landing page, which can then be transformed, depending on the type of MFA that particular employee uses.
When the attacker obtains the login credentials and MFA codes, he logs into the Okta, Entra or Google SSO panel, through which he can choose what type of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox or many others. ShinyHunters apparently prefers Salesforce, although they won’t pass up another opportunity either.
Finally, after extracting all the stolen data, they will add a sample to their data leak page and contact the victim to try to get them to pay.
To stay safe, companies must train their employees on the dangers of phishing and educate them on the latest techniques used in such attacks. They should also use phishing-resistant multi-factor authentication (MFA) whenever possible and implement Zero Trust Network Architecture (ZTNA).
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
