Cybersecurity experts are currently grappling with a surge of voice-phishing attacks aimed at single sign-on (SSO) tools. These coordinated efforts have led to instances of data theft and extortion, as various cybercrime groups, including one claiming ties to ShinyHunters, harness sophisticated voice calls and phishing kits to deceive victims into revealing sensitive credentials. The group has even gone so far as to publicly name alleged targets and leak samples of the compromised data, raising alarms in the security community.
This wave of attacks exhibits similarities to previous actions linked to ShinyHunters, particularly their exploitation of third-party vendors to infiltrate corporate networks. Notably, their prior activities had significant repercussions, affecting over 700 Salesforce customer environments in an extensive breach last fall. Charles Carmakal, chief technology officer at Mandiant Consulting, confirmed in an email to CyberScoop that they are monitoring an ongoing campaign by ShinyHunters that employs advanced voice phishing methods to obtain SSO credentials from victims. Following initial access, the threat actors have been observed maneuvering through SaaS environments to extract sensitive information and demanding ransom from affected organizations.
Cybercriminals are now utilizing customized domains that closely imitate legitimate SSO portals to launch these attacks. Tailored voice-phishing kits allow them to make calls to victims while manipulating what appears on the victims’ browsers in real-time. This strategy enables attackers to synchronize their verbal prompts with multifactor authentication requests effectively, thereby increasing the likelihood that victims will unwittingly comply with the requests.
Okta, a prominent provider of SSO solutions, recently published threat intelligence highlighting the phishing kits utilized in these attacks. According to Brett Winterford, vice president at Okta Threat Intelligence, researchers have identified at least two such kits capable of mimicking the authentication processes of identity providers in real time, creating a more convincing context for victims to share their credentials.
A spokesperson for Microsoft declined to comment specifically on the campaign, while Google affirmed that they currently have no evidence indicating that their products are affected. Security experts warn that these attacks do not exploit vulnerabilities within SSO vendors’ products or infrastructures; rather, they leverage persistent weaknesses in identity and access management. Victims continue to be misled into disclosing their credentials.
The sophistication of these phishing kits allows less technically-skilled cybercriminals to purchase tools and focus their efforts on social engineering, as noted by Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center. She remarked that the recent campaigns have seen heightened success rates, likely due to the compelling nature of the attacks and the incorporation of voice phishing techniques. Personalized, real-time communication makes it easier for attackers to deceive victims who may not be on high alert.
The scope of the ongoing campaign remains uncertain, though early reports indicate at least three organizations have been affected, including SoundCloud and Betterment. SoundCloud has confirmed that some personally identifiable information belonging to approximately 36 million users was compromised during an attack discovered in mid-December. Although the company asserts that sensitive data was not exposed, it has indicated that employees and partners have received threatening communications related to the breach.
Meanwhile, Betterment acknowledged that a social engineering attack allowed an intruder to access its systems on January 9. The company reported that although customer data was stolen, no accounts were accessed, nor were credentials compromised. In response, the attacker also attempted to exploit Betterment’s systems to send fraudulent cryptocurrency offers to select customers.
Threat intelligence suggests that additional organizations may have been targeted in this campaign. Researchers at Sophos have identified around 150 malicious domains registered in the past month, including those linked to voice phishing operations resulting in data theft and ransom demands. The creative strategies employed by these threat actors, including the creation of domains that impersonate well-known SSO services, indicate a growing sophistication in their tactics.
As the situation continues to evolve, it remains crucial for organizations to stay vigilant. Although the group behind these attacks claims affiliation with ShinyHunters, such declarations can often be misleading. The methods employed by attackers are more critical to analyze than the claims they make, as understanding the tactics and techniques utilized can provide valuable insights for enhancing cybersecurity defenses. In this instance, adversary tactics such as initial access, credential dumping, and social engineering may have played pivotal roles in the successful execution of these attacks, as defined by the MITRE ATT&CK framework.
