“`html

ShinyHunters Claims Responsibility for Wave of Voice Phishing Attacks Targeting Okta, Microsoft, and Google

Cybercriminals are exploiting single sign-on (SSO) vulnerabilities through sophisticated voice phishing schemes, gaining access to corporate data and demanding ransom, according to claims made by the notorious ShinyHunters extortion gang.

The attacks center around impersonating IT support staff to trick employees into divulging their credentials and multi-factor authentication (MFA) codes on fraudulent websites mimicking legitimate company login portals. Onc inside, attackers leverage compromised SSO accounts to access a network of connected enterprise applications and services, enabling large-scale data theft.

SSO services offered by Okta, Microsoft entra, and Google are designed to streamline access to cloud services, internal tools, and business platforms with a single login. However, these dashboards, which typically list all connected services, become a prime target for attackers, effectively providing a gateway into sensitive corporate systems and data. Commonly connected platforms include Salesforce, Slack, and various cloud storage solutions.

Okta has been actively addressing the data theft attacks. However, the company yesterday released a report detailing the phishing kits used in these voice-based attacks, corroborating data shared with bleepingcomputer.

according to Okta, these phishing kits feature a web-based control panel allowing attackers to dynamically alter the content displayed on phishing sites during live phone conversations. This capability enables threat actors to guide victims through each step of the login and MFA authentication process.If stolen credentials trigger an MFA prompt, attackers can display new dialog boxes on the phishing site in real-time, instructing victims to approve push notifications, enter time-based one-time passwords (TOTP codes), or complete other authentication steps.

ShinyHunters Confirms Involvement, Targets Salesforce

While initially hesitant to comment, ShinyHunters confirmed to BleepingComputer this morning that they are responsible for at least some of the social engineering attacks. “we confirm we are behind the attacks,” the group stated. “We are unable to share further details at this time, besides the fact that Salesforce remains our primary interest and target, the rest are benefactors.”

The group also validated aspects of BleepingComputer’s reporting,including details about the phishing infrastructure and associated domains. However, ShinyHunters disputed Okta’s claim regarding a screenshot of a phishing kit command-and-control server, asserting that their platform was built in-house.

ShinyHunters further claimed to be targeting not only Okta but also Microsoft Entra and Google SSO platforms. Microsoft has not yet issued a statement, and Google indicated it has no evidence of its products being exploited in the campaign. “At this time,we have no indication that Google itself or its products are affected by this campaign,” a Google spokesperson told BleepingComputer.

The group claims to be leveraging data stolen in previous breaches, including the widespread salesforce data theft attacks, to identify and contact employees. This stolen data includes phone numbers, job titles, names, and other details used to enhance the credibility of their social engineering calls.

Data Leak Site relaunched, New Victims Listed

ShinyHunters