'The breadth of targeted cloud platforms continues to expand': Google's security team takes a look at how ShinyHunters have rolled out so many SSO scams recently

News
By published

Mandiant analyzed ShinyHunters' MO to dig deeper

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • ShinyHunters use vishing and custom phishing pages to bypass SSO protections
  • Stolen MFA codes grant access to platforms like Salesforce, Microsoft 365, and Dropbox
  • Other groups mimic tactics; experts urge phishing-resistant MFA and Zero Trust defenses

A highly effective combination of vishing (voice phishing) and customized infrastructure has allowed the dreaded ShinyHunters extortion gang to launch countless single sign-on (SSO) scams in recent times, experts have concluded

A new report from Google's Mandiant experts has explained the modus operandi behind a wave of SSO attacks that hit companies across industries recently, saying it all starts with a phone call.

It found ShinyHunters have perfected impersonating IT staff and tech operatives, calling employees in different positions and telling them their MFA settings need updating.

Extorting the victims

At the same time, they use customized infrastructure: they have created highly modular, customizable phishing landing pages that they can tweak in real time. Therefore, if the victim uses Google SSO, they will be given the appropriate landing page, which can then transform, depending on the type of MFA that particular employee uses.

When the attacker obtains the login credentials and MFA codes, they log into either Okta, Entra, or Google SSO dashboard, through which they can pick and choose what kind of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters, apparently, prefer Salesforce, although they won’t pass up on a different opportunity, too.

Finally, after exfiltrating all of the stolen data, they will add a sample to their data leak page and reach out to the victim in an attempt to get them to pay.

To stay safe, businesses should train their employees on the dangers of phishing and educate them on the latest techniques used in such attacks. They should also use phishing-resistant multi-factor authentication (MFA) wherever possible and deploy Zero Trust Network Architecture (ZTNA).

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.