Voice Phishing Ensnares Google and Microsoft Accounts
Following up on reports of the recent SoundCloud data breach, we now hear reports that the ShinyHunter culprits have claimed responsibility for voice phishing (or vishing, if you’re in a hurry) attacks at Microsoft, Okta and Google. In contrast to the standard email-based phishing schemes you might be familiar with, voice phishing, as the name implies, has cyber criminals posing as IT support or call center employees, trying to get their marks to enter credentials on convincing phishing sites or other login portals. The sites themselves allow ShinyHunters dynamic control of what the target sees in real time, shaping the phishing site before their eyes as they’re guided into the trap of authentication.
With this shiny new access to an employee’s account, the hackers can follow the usual social engineering playbook and spread across the enterprise to other applications and services. With companies that link third party applications together under a single login, once compromised, hackers can access internal tools and business platforms to browse at their leisure, such as Salesforce, Microsoft 365, Dropbox, Adobe and Slack.
Confirming ownership of the attack, ShinyHunters informed BleepingComputer that Salesforce, which they have attacked previously and whose stolen data they continue to use in contacting employees, remains its primary interest, with other platforms just being a nice bonus.
The Okta single-sign-on informs another vishing story that comes nearly in time for Valentine’s Day, Match Group, owner of such dating apps as Tinder and Hinge and an Okta client, is notifying affected users about a breach of its own. The company is currently investigating this as a security incident in which a hacker group claims to have stolen reams of the company’s internal data, including user advertising IDs and corporate receipts. “Match Group takes the safety and security of our users seriously and acted quickly to terminate the unauthorized access,” says a spokesperson. Luckily for users, it does not seem like their login credentials, financial info or private communications were compromised.
We have recently examined the ways in which hackers can exploit dating apps, trust, and emotions to do their dirty work, and how people can stay on guard against such tactics. Users must remember to never share passwords or click links sent by matches, as these can lead to fraudulent login pages. Companies, meanwhile, should take the approach of layered security: utilizing multiple layers of cyber defense that combine strong authentication practices, data encryption, and more. Check out our heartfelt guide to better cybersecurity strategies here.