Cyber crime group ShinyHunters has received global attention after Google urged 2.5 billion users to tighten their security following a data breach via Salesforce, a customer management platform.
Author
- Jennifer Medbury
Lecturer in Intelligence and Security, Edith Cowan University
Unlike data breaches where hackers directly break into databases holding valuable information, ShinyHunters - and several other groups - have recently targeted major companies through voice-based social engineering (also known as "vishing", short for voice phishing).
Social engineering is when a person is tricked or manipulated into providing information or performing actions that they wouldn't normally do.
In this case, to get access to protected systems, a criminal would pose as a member of the target company's IT helpdesk and convince an employee to share passwords and/or multi-factor authentication codes. Although vishing is not a new tactic, the use of deepfakes and generative artificial intelligence to clone voices is making this type of social engineering harder to detect.
Just this year, companies such as Qantas , Pandora, Adidas, Chanel, Tiffany & Co. and Cisco have all been targeted using similar tactics, with millions of users affected .
Who, or what, are ShinyHunters?
ShinyHunters first emerged in 2020 and claims to have successfully attacked 91 victims so far. The group is primarily after money , but has also been willing to cause reputational damage to their victims. In 2021, ShinyHunters announced they were selling data stolen from 73 million AT&T customers .
ShinyHunters has previously targeted companies through vulnerabilities within cloud applications and website databases. By targeting customer management providers such as Salesforce, cyber criminals can gain access to rich data sets from multiple clients in one attack.
The use of social engineering techniques is considered a relatively new tactic for ShinyHunters. This change in approach has been attributed to their links with other similar groups.
In mid-August, ShinyHunters posted on Telegram they have been working with known threat actors Scattered Spider and Lapsus$ to target companies such as Salesforce and Allianz Life . The channel was taken down by Telegram within days of being launched. The group publicly released Allianz Life's Salesforce data, which included 2.8 million data records relating to individual customers and corporate partners.
Scattered Lapsus$ Hunters, the newly rebranded group, recently advertised they had started providing ransomware as a service . This means they will launch ransomware attacks on behalf of other groups willing to pay them.
They claim their service is better than what's being offered by other cyber crime groups such as LockBit and Dragonforce. Rather than negotiating directly with victims, the group often publishes public extortion messages.
Who are all these cyber criminals? There's likely a significant overlap of membership between ShinyHunters, Scattered Spider and Lapsus$. All these groups are international, with members operating on the dark web from various parts of the world.
Adding to the confusion, each group is known by multiple names. For example, Scattered Spider has been known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875 and Muddled Libra.
How can we protect ourselves from vishing?
As everyday users and customers of large tech companies, there's little we can do in the face of organised cyber crime groups. Keeping yourself personally safe from scams means staying constantly vigilant .
Social engineering tactics can be highly effective because they prey on human emotions and the desire to trust and to be helpful.
But companies can also be proactive about reducing the risk of being targeted by vishing tactics.
Organisations can build awareness of these tactics and build scenario-based training into employee education programs. They can also use additional verification methods, such as on-camera checks where an employee shows a corporate badge or government-issued ID, or by asking questions that cannot easily be answered with information found online.
Finally, organisations can strengthen security by using authenticator apps that require phishing-resistant multi-factor authentication such as number matching or geo-verification. Number matching requires a person to enter numbers from the identity platform into the authenticator app to approve the authentication request. Geo-verification uses a person's physical location as an additional authentication factor.
Jennifer Medbury does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
