SAN FRANCISCO, February 29, 2024 – The cybercrime group ShinyHunters is now claiming responsibility for at least five attacks stemming from a recent voice phishing campaign initially flagged by Okta security researchers. This escalating threat highlights the growing sophistication of social engineering tactics targeting major tech companies and their users.
Voice Phishing Campaign Targets Tech Giants
A new wave of voice phishing attacks is exploiting vulnerabilities in single sign-on systems, potentially compromising accounts at Google, Microsoft, and Okta.
- ShinyHunters claims to have extorted at least five companies through the voice phishing scheme.
- The attacks leverage custom phishing kits designed to intercept credentials and bypass multi-factor authentication.
- Researchers have identified approximately 150 domains created in December linked to these campaigns.
Okta warned on Thursday that a social engineering campaign utilizing custom phishing kits was actively targeting environments associated with Google, Microsoft, and Okta, employing voice phishing-also known as “vishing”-techniques. These kits are designed to steal user credentials and, alarmingly, convince individuals to disable multi-factor authentication, a critical security measure.
Security researcher Alon Gal confirmed last week that ShinyHunters contacted him, asserting they had extorted at least three companies in connection with the voice phishing campaign. While the specific companies involved are still being verified,Gal updated that claim on Monday,stating the number now stands at five. The initial contact from ShinyHunters followed a report published by Bleeping Computer detailing the Okta single sign-on account targeting.
Sophos researchers are currently tracking a cluster of roughly 150 domains created in December and actively used in these voice phishing campaigns,which ultimately lead to data theft and extortion demands. “We can’t confirm that they have all been used, but the threat actors are creating target-specific domains, themed to reflect single sign-on services and impersonating authentication providers like Okta,” explained Rafe Pilling, director of threat intelligence at Sophos’s counter Threat Unit.
Google Threat Intelligence Group researchers initially acknowledged tracking the threat activity but later removed a related post. A Google spokesperson stated that neither Google nor any of its products were affected by the social engineering campaign. Okta representatives confirmed they have no specific information regarding any examination by Google researchers, noting that any such investigation would likely be initiated at the request of a compromised organization.
“Okta Threat Intelligence routinely shares threat research to help companies protect against evolving social engineering techniques,” an Okta representative stated. “While Okta’s platform and services remain secure,Okta is calling attention to these evolving techniques to help raise awareness and support stronger defenses for customers.”
Microsoft has stated they have no information to share at this time but will provide updates if warranted.
