‘The breadth of targeted cloud platforms continues to expand’: Google’s security team takes a look at how ShinyHunters have rolled out so many SSO scams recently
- ShinyHunters use vishing and custom phishing pages to bypass SSO protections
- Stolen MFA codes grant access to platforms like Salesforce, Microsoft 365, and Dropbox
- Other groups mimic tactics; experts urge phishing-resistant MFA and Zero Trust defenses
A highly effective combination of vishing (voice phishing) and customized infrastructure has allowed the dreaded ShinyHunters extortion gang to launch countless single sign-on (SSO) scams in recent times, experts have concluded
A new report from Google’s Mandiant experts has explained the modus operandi behind a wave of SSO attacks that hit companies across industries recently, saying it all starts with a phone call.
It found ShinyHunters have perfected impersonating IT staff and tech operatives, calling employees in different positions and telling them their MFA settings need updating.
Extorting the victims
At the same time, they use customized infrastructure: they have created highly modular, customizable phishing landing pages that they can tweak in real time. Therefore, if the victim uses Google SSO, they will be given the appropriate landing page, which can then transform, depending on the type of MFA that particular employee uses.
When the attacker obtains the login credentials and MFA codes, they log into either Okta, Entra, or Google SSO dashboard, through which they can pick and choose what kind of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters, apparently, prefer Salesforce, although they won’t pass up on a different opportunity, too.
Finally, after exfiltrating all of the stolen data, they will add a sample to their data leak page and reach out to the victim in an attempt to get them to pay.
To stay safe, businesses should train their employees on the dangers of phishing and educate them on the latest techniques used in such attacks. They should also use phishing-resistant multi-factor authentication (MFA) wherever possible and deploy Zero Trust Network Architecture (ZTNA).
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
