The Scattered Lapsus$ Hunters (SLH) hacking collective has launched a recruitment push aimed specifically at women, offering cash payments for participating in voice-phishing (vishing) attacks.
A few days ago, threat intelligence firm Dataminr detected posts on a public Telegram channel advertising roles for female callers willing to conduct social-engineering phone operations.
SLH’s recruitment ad (Source: Dataminr)
The group is apparently offering between $500 and $1,000 per call, up front, and is supplying prepared scripts to guide these recruits through impersonation attempts.
About Scattered Lapsus$ Hunters
SLH is an informal coalition drawing from members associated with Lapsus$, Scattered Spider, and ShinyHunters, three groups linked to the (predominantly) English-speaking (cyber)crime network known as The Com.
Past arrests and court cases involving individuals tied to Lapsus$ and Scattered Spider have largely involved young men, though the demographic makeup membership of such groups is likely fluid.
The group has been operating for a while now, and has successfully targeted high-profile organizations such as Jaguar Land Rover, Adidas, Qantas, and many others.
Scattered Spider members are known for their social engineering skills (particularly vishing), and their tendency to bypass multi-factor authentication protections through SIM swapping, fake single sign-on (SSO) pages, and MFA prompt bombing (aka MFA fatigue).
They also have a penchant for targeting corporate IT help desk and support personnel via phone by impersonating employees and convincing the former to change account passwords, as well as impersonating support personnel to get employees to install remote monitoring and management (RMM) tools or logging into their accounts via phishing sites.
According to cybersecurity company Silent Push, they are leveraging adaptable phishing kits that allow them to syncronize the authentication flow on those phishing pages with the requests made during phishing calls.
Advice for organizations
Dataminr advises organizations to start briefing IT help desk and support personnel about this specific recruitment trend and teach them to expect vishers (whether male or female) to be well-rehearsed and very convincing.
“Enforce out-of-band identity verification (e.g., video calls or secondary internal verification) for all password resets or MFA credential changes requested via phone,” the company counsels.
Where possible, organizations should switch to using phishing-resistant authentication methods (e.g., FIDO2-compliant hardware security keys or passkeys), and they should “audit logs for new user creation or administrative privilege escalation immediately following help desk interactions.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
