The cybercrime group ShinyHunters has gained global attention after Google alerted 2.5 billion users to strengthen their security following a data breach via Salesforce, a customer management platform, highlighting a growing trend of voice-based social engineering.
Social engineering involves manipulating individuals into divulging information or performing actions they wouldn’t normally undertake. In the context of vishing, criminals impersonate IT helpdesk personnel to trick employees into sharing passwords and multi-factor authentication codes. The increasing sophistication of deepfakes and AI-driven voice cloning is exacerbating the detection of such social engineering attempts.
This year alone, companies including Qantas, Pandora, Adidas, Chanel, Tiffany & Co., and Cisco have been targeted using similar tactics, impacting millions of users. ShinyHunters, which emerged in 2020, claims responsibility for 91 successful attacks. While primarily motivated by financial gain, the group has also demonstrated a willingness to inflict reputational damage on its victims. In 2021, ShinyHunters reportedly sold data stolen from 73 million AT&T customers.
Historically, ShinyHunters has exploited vulnerabilities in cloud applications and website databases. By targeting customer management providers like Salesforce, they can access extensive data sets from multiple clients through a single attack. The adoption of social engineering techniques marks a relatively new strategy for ShinyHunters, influenced by their affiliations with other cybercriminal groups.
In mid-August, ShinyHunters announced a collaboration with Scattered Spider and Lapsus$ to target companies like Salesforce and Allianz Life on Telegram. The Telegram channel was promptly shut down, but not before the group publicly released Allianz Life’s Salesforce data, comprising 2.8 million records related to individual customers and corporate partners. The rebranded group, Scattered Lapsus$ Hunters, has also announced a ransomware-as-a-service offering, claiming superiority over competitors like LockBit and Dragonforce, and often publishes public extortion messages rather than negotiating directly with victims.
The cybercriminal landscape is further complicated by the overlapping memberships and multiple aliases of groups like ShinyHunters, Scattered Spider, and Lapsus$. These international groups operate from various locations on the dark web. Scattered Spider, for example, is also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra.
While individual users have limited recourse against organized cybercrime, maintaining constant vigilance is crucial for personal safety. Social engineering tactics are effective because they exploit human emotions and trust. However, companies can proactively mitigate the risk of vishing attacks.
Organizations can implement awareness programs and scenario-based training to educate employees about these tactics. Additional verification methods, such as on-camera checks with corporate badges or government-issued IDs, and security questions that cannot be easily answered online, can also be employed. Strengthening security through phishing-resistant multi-factor authentication, such as number matching or geo-verification via authenticator apps, is also recommended. Number matching requires users to enter numbers from the identity platform into the authenticator app for authentication approval, while geo-verification uses the user’s physical location as an additional authentication factor.
