The cybercrime group ShinyHunters has garnered international attention after Google advised its 2.5 billion users to enhance their security protocols. This recommendation followed a data breach that exploited vulnerabilities within Salesforce, a widely-used customer management platform.
Unlike conventional data breaches involving direct intrusion into databases, ShinyHunters, alongside other groups, has recently employed voice-based social engineering, known as “vishing,” to target major corporations. Vishing represents a form of social engineering where individuals are manipulated into divulging confidential information or performing actions under false pretenses.
In a vishing attack, a perpetrator impersonates an IT helpdesk employee to deceive an actual employee into revealing passwords or multi-factor authentication codes, thereby gaining unauthorized system access. Though not a novel tactic, the increasing sophistication of deepfakes and AI-driven voice cloning has made vishing more difficult to detect. These technologies enable criminals to convincingly mimic voices and create realistic scenarios, enhancing their deceptive capabilities.
Throughout the current year, several prominent companies, including Qantas, Pandora, Adidas, Chanel, Tiffany & Co., and Cisco, have reported being targeted through similar vishing methods, impacting millions of users. These incidents highlight the widespread vulnerability to social engineering tactics.
ShinyHunters, a cybercrime group, emerged in 2020, claiming responsibility for successful attacks against 91 victims. The group’s primary motivation is financial gain, though they have demonstrated a willingness to inflict reputational damage on their targets. In 2021, ShinyHunters announced the sale of data allegedly stolen from 73 million AT&T customers, illustrating the scale of their operations.
Prior to employing vishing, ShinyHunters targeted companies by exploiting vulnerabilities in cloud applications and website databases. Their focus on customer management providers like Salesforce enables them to access extensive data sets from multiple clients through a single successful attack. This approach amplifies the potential impact of their breaches.
The group’s adoption of social engineering techniques signals a shift in their modus operandi. This evolution is reportedly linked to their collaborations with other cybercriminal entities. In mid-August, ShinyHunters announced on Telegram a partnership with Scattered Spider and Lapsus$ to target Salesforce and Allianz Life. Telegram removed the channel shortly after its launch. The group subsequently released Allianz Life’s Salesforce data, which contained 2.8 million records pertaining to customers and corporate partners.
Scattered Lapsus$ Hunters, a rebranded iteration of Lapsus$, has recently advertised the provision of ransomware-as-a-service. This offering involves launching ransomware attacks on behalf of paying clients. The group claims its service surpasses those of other cybercrime organizations, including LockBit and Dragonforce. Instead of private negotiations, they often publish extortion messages publicly.
The cybercriminal landscape involves overlapping memberships among groups like ShinyHunters, Scattered Spider, and Lapsus$. These groups operate internationally, with members participating from various locations on the dark web. Further complicating matters, each group is often identified by multiple aliases; Scattered Spider, for instance, is also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm‑0875, and Muddled Libra.
Individual users can take limited direct action against organized cybercrime. Maintaining personal vigilance against scams is crucial for self-protection. Social engineering effectively exploits human emotions and the inclination to trust and assist.
Companies can proactively mitigate the risks of vishing. Implementing awareness training and scenario-based education programs for employees is vital. Verification methods, such as on-camera checks requiring employees to present corporate badges or government-issued identification, can also be implemented. Asking questions that cannot easily be answered with publicly available information online presents another layer of defense.
Organizations can bolster security by deploying authenticator applications that mandate phishing-resistant multi-factor authentication, incorporating techniques like number matching or geo-verification. Number matching necessitates users to input numbers from the identity platform into the authenticator app to validate authentication requests. Geo-verification uses the user’s physical location as an additional authentication factor.
