The ShinyHunters cybercrime group has claimed responsibility for a series of sophisticated voice phishing (vishing) attacks targeting single sign-on accounts at Okta, Microsoft Entra, and Google. In these campaigns, attackers impersonate IT support staff, calling employees and guiding them to enter their credentials and multi-factor authentication codes on fake login portals. Once compromised, the SSO account provides a gateway to numerous connected enterprise applications like Salesforce, Microsoft 365, and Slack, enabling large-scale data theft.
According to Okta, the attackers use dynamic phishing kits that allow real-time manipulation of the fake login pages during calls, adapting to any MFA prompts. ShinyHunters confirmed they are behind these operations, stating that Salesforce remains a primary target, with other platforms being opportunistic beneficiaries. The group leverages previously stolen personal data to make their social engineering calls more convincing.
While Okta has documented the phishing infrastructure, ShinyHunters disputes that a specific screenshot belongs to their custom-built platform. Google stated it has no evidence its products are directly affected, and Microsoft declined to comment. The group has also relaunched its data leak site, listing recent breaches at companies like SoundCloud and Crunchbase, the latter of which confirmed a data exfiltration incident. These attacks highlight the growing threat of vishing as a method to bypass modern authentication defenses.
Read more...