Threat hunters and researchers are racing to contain a wave of voice-phishing attacks targeting single sign-on tools, already leading to data theft and extortion attempts. Multiple cybercrime groups are combining voice calls and advanced phishing kits to trick victims into handing over access — including a group identifying itself as ShinyHunters, which has publicly named alleged targets and posted samples of stolen data.
The attacks share common characteristics with previous campaigns attributed to ShinyHunters, which has abused third-party vendors to gain initial access to multiple company networks, including the attack spree that impacted more than 700 Salesforce customer environments last fall.
“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved voice phishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim multifactor authentication solutions,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in an email to CyberScoop.
“This is an active and ongoing campaign,” Carmakal added. “After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand.”
Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim’s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.
Okta, one of the single sign-on providers targeted by this campaign, released threat intelligence on phishing kits observed in this campaign and others Thursday. Attackers appearing to be aligned with ShinyHunters have attempted to extort targeted organizations on behalf of a specific initial access broker that used one of these phishing kits.
Brett Winterford, vice president at Okta Threat Intelligence, said researchers have observed at least two phishing kits that demonstrate the real-time capability to mimic the authentication flows of identity providers.
“This creates a more compelling pretext for asking the user to share credentials and accept multifactor authentication challenges,” he told CyberScoop.
“Okta Threat Intelligence has observed multiple phishing kits developed for the needs of voice phishing operators, each with dedicated panels for impersonation of Google, Microsoft and Okta sign-in flows, as well as cryptocurrency providers,” Winterford added.
A spokesperson for Microsoft said the company has nothing to share on the campaign. Meanwhile, a Google spokesperson said: “At this time, we have no indication that Google itself or its products are affected by this campaign.”
Security experts noted the attacks don’t involve a vulnerability in single sign-on vendors’ products or infrastructure, but rather a persistent weak point in identity and access management. Targeted victims are once again being duped into sharing their credentials with attackers.
These phishing kits allow cybercriminals without deep technical skills to buy the tooling and focus on targeting people and processes, said Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center.
“While these campaigns occur often, the difference here is the amount of success in the recent campaign is slightly higher. That’s likely because of the believable content and the use of voice phishing versus just phishing,” she said.
“If you’re getting a call and it’s personalized and it’s changing in real time — that feels believable, that’s a different element that people don’t necessarily have their guard up for.”
Investigation ongoing into scope
It’s unclear how many organizations have been impacted by the campaign. A ShinyHunters-branded data leak site, which is currently down, previously listed at least three victims, including two companies that publicly confirmed they were impacted by recent attacks.
SoundCloud said some personally identifiable data on about 20% of its user base, roughly 36 million people, was compromised by an attack it first discovered in mid-December. The company insists sensitive data wasn’t exposed and did not name the attackers, but said users, employees and partners have been flooded with threatening emails.
“We are aware that a threat actor group has published data online allegedly taken from our organization,” Sade Ayodele, senior director of communications at SoundCloud, said in an email. “Our security team — supported by leading third-party cybersecurity experts — is actively reviewing the claim and published data.”
Betterment, a financial services company, said an attacker gained access to some of its systems via social engineering on Jan. 9. The company said customer data was stolen, but no accounts were accessed and customer credentials weren’t compromised.
The attacker also quickly used access to Betterment’s systems to send a fraudulent cryptocurrency offer to some customers. Betterment did not respond to a request for comment.
Threat intelligence suggests additional victims have been targeted and potentially impacted. Sophos researchers are tracking a cluster of about 150 malicious domains established starting last month, including some used in voice phishing campaigns resulting in data theft and ransom notes demanding a payment, said Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.
“We can’t confirm that they have all been used but the threat actors are creating target-specific domains, themed to reflect single-sign on services and impersonating authentication providers like Okta,” Pilling said. The fake domains impersonate organizations in the education, real estate, energy, financial services and retail sectors.
While one of the groups behind this campaign identifies itself as ShinyHunters, researchers have yet to confirm that claim or formally attribute the attacks to a specific group or person.
“ShinyHunters typically has a mix of real victims and recycled information or exaggerated claims,” Kaiser said.
Moreover, the names adopted or reused by some cybercriminals has lost relevance, said Ian Gray, vice president of intelligence at Flashpoint.
A cybercriminal or group can use any username they choose and apply that to a data-leak site, but that doesn’t prove a direct link.
“While ShinyHunters have claimed credibility for the campaign,” Gray said, “it is equally important that we examine the tactics, techniques and procedures being employed and how they relate to previous campaigns.”