All news with #vishing tag

🔐 Google Threat Intelligence Group (GTIG) details UNC6671, operating as "BlackFile," which uses large-scale voice phishing (vishing) and adversary-in-the-middle techniques to bypass MFA and compromise SSO access. The group targets Microsoft 365 and Okta, leveraging Python and PowerShell scripts to automate exfiltration and repurpose valid session cookies to "stream" files. GTIG highlights detection indicators such as python-requests User-Agent mismatches, nonstandard IP infrastructure, and subdomain-based credential-harvesting sites to aid defenders.

🔒 Cybercrime clusters Cordial Spider and Snarky Spider are executing fast, low-footprint extortion campaigns that rely on vishing and SSO adversary-in-the-middle pages to harvest credentials and MFA codes. After registering devices and suppressing notification emails, attackers pivot directly into SaaS platforms such as Google Workspace, HubSpot, SharePoint, and Salesforce to locate and exfiltrate high-value files. Researchers note heavy use of living-off-the-land techniques and residential proxies to minimize detection.

🚨 A Romanian national, Thomasz Szabo, was sentenced to four years in U.S. federal prison after pleading guilty to conspiracy and threats involving explosives. Extradited from Romania in November 2024, Szabo led an online swatting community that organized bomb threats and swatting calls beginning in late 2020 and targeting more than 75 public officials, journalists, and religious institutions. The court also ordered three years of supervised release.

📞 Unit 42 and RH-ISAC report BlackFile has targeted retail and hospitality since Feb 2026, linking activity to CL-CRI-1116 and overlaps with UNC6671/Cordial Spider. The group uses vishing—impersonating IT helpdesks with spoofed VoIP—and phishing pages that mimic corporate SSO, plus antidetect browsers and residential proxies to harvest credentials and OTPs. After access they register devices to bypass MFA, escalate privileges, and exfiltrate data via Salesforce and SharePoint APIs. Recommendations include caller identity checks, strict escalation for IT support, and simulation-based phone-security training.

🔒 ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employee’s Okta SSO and accessed Salesforce data.

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.

📞 Flare outlines how a mature "Caller-as-a-Service" ecosystem professionalizes vishing by dividing labor across specialists—from data traders to supervised callers—and operating like legitimate call centers. Recruitment ads demand native English, OPSEC, and sometimes live screen-sharing for real-time supervision. Compensation varies (fixed, success-based, hybrid), and payouts can be delayed pending downstream monetization. The result is lower technical barriers, higher efficiency, and increased detection difficulty.

🔊 A new platform called ATHR automates telephone-oriented attacks by combining AI voice agents and optional human operators to carry out vishing campaigns and harvest credentials across services including Google, Microsoft, and major crypto platforms. Researchers at Abnormal say ATHR bundles email templates, spoofing, WebRTC/Asterisk routing, and per-target customization into a dashboard that controls distribution, calls, and logging. The service is marketed on underground forums for $4,000 plus a commission and greatly lowers the skill barrier for attackers.

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.

⚠️ Scattered LAPSUS$ Hunters (SLH) is reportedly paying $500–$1,000 upfront per call to recruit women for voice phishing campaigns against IT help desks, Dataminr says. The group provides pre-written scripts and leverages advanced social engineering techniques, including MFA prompt bombing and SIM swapping, to gain access. Actors then deploy tunneling tools, residential proxies and legitimate file-sharing services to move laterally, escalate privileges, and exfiltrate data, with some intrusions resulting in ransomware.

📢 Optimizely has confirmed a data breach after attackers used a sophisticated voice‑phishing (vishing) campaign to gain access to some internal systems on or before February 11. The company says the intruders accessed certain CRM records, internal back‑office documents, and basic business contact information but could not escalate privileges, install software, or create backdoors. Optimizely reports no evidence of access to sensitive customer data or personal information beyond business contacts, and business operations remain uninterrupted. It is warning customers to be vigilant for follow‑on phishing attempts leveraging the exposed contact details.

🔍Tax season 2026 brings a renewed surge in IRS-related scams as fraudsters exploit email, text and phone channels to steal refunds and personal data. Scammers impersonate the IRS, tax preparers or software vendors with spoofed logos, domains and caller IDs, and may demand unusual payments or coax victims into filing fraudulent returns. Watch for phishing/smishing/vishing, W-2 fraud, fake tax credits and dishonest preparers. Protect accounts with MFA, consider an IP PIN, file early and report suspicious messages to phishing@irs.gov.

🔒 Mandiant reports a recent wave of ShinyHunters attacks that combine targeted vishing and company‑branded phishing sites to capture SSO credentials and MFA codes. Attackers impersonate IT or helpdesk staff, guide victims through MFA approval or one‑time passcodes in real time, and enroll attacker-controlled MFA devices. With access to Okta, Microsoft Entra, or Google SSO dashboards they pivot into SaaS platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive) to steal and extort cloud data.

📞 Google-owned Mandiant reported an expansion of ShinyHunters-style extortion activity that combines advanced voice phishing with fake credential-harvesting sites to capture SSO credentials and MFA codes to access cloud SaaS environments. The team is tracking multiple clusters (UNC6661, UNC6671, UNC6240) and observed attackers impersonating IT staff, registering attacker-controlled MFA devices, and exfiltrating data from services such as SharePoint and OneDrive. Mandiant recommends strengthening help-desk verification, improving logging and detection, restricting weak authentication methods, and adopting phishing-resistant options like FIDO2 or passkeys.

📞 Notorious extortion group ShinyHunters released tens of gigabytes of files it claims were stolen from dating services including Hinge, Match, OkCupid and Bumble. Researchers link the disclosures to a broader campaign that combines automated phishing kits with voice-based social engineering to capture credentials and MFA tokens in real time. Security firm Silent Push detected a 'Live Phishing Panel' and infrastructure consistent with SLSH activity targeting more than 100 high-value organizations. Organizations are advised to verify IT support calls through official out-of-band channels and audit OSS logs for suspicious device enrollments and new-IP logins.

🔔Okta Threat Intelligence has warned that cybercriminals are combining vishing calls with adaptable phishing sites to social-engineer victims and bypass multi-factor authentication (MFA). Attackers perform reconnaissance, spoof internal IT support numbers during calls and direct users to customized phishing pages that update in real time. Stolen credentials are relayed to attackers who then generate fake MFA prompts to obtain approvals and gain account access.

📞 ShinyHunters says it is behind a wave of voice-phishing campaigns that compromise single sign-on accounts at Okta, Microsoft Entra, and Google, enabling access to downstream SaaS platforms. Attackers call employees posing as IT, steer victims through dynamic phishing pages and capture multi-factor authentication in real time, then enumerate connected applications to harvest data. The group claims Salesforce as a primary target and has issued extortion demands using stolen information.

🔔 Okta warns of bespoke vishing phishing kits sold as a service that enable live adversary-in-the-middle attacks to steal Okta SSO credentials. These kits include a C2 panel that lets callers control the victim's authentication flow in real time and synchronize fraudulent MFA dialogs to bypass push-based protections. Okta urges adoption of phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys and recommends user education and vendor notifications.

📞Harvard University disclosed that systems used by Alumni Affairs and Development were accessed in a phone‑based phishing attack discovered on November 18, 2025. Exposed information includes email addresses, phone numbers, home and business addresses, event attendance records, donation details, and biographical data for alumni, donors, some students, faculty and staff. The university stated the compromised systems did not contain Social Security numbers, passwords, payment card data, or financial account information. Harvard sent notifications on November 22 and is working with law enforcement and third‑party cybersecurity experts to investigate and remediate the incident.

🚨 Europol has issued a Position Paper warning of a rising wave of caller ID spoofing, where criminals falsify numbers to impersonate banks, government bodies or relatives. The agency estimates global losses around €850m annually and reports spoofing now underpins roughly 64% of phone- and SMS-related fraud. Europol calls for harmonized technical standards, stronger cross-border cooperation and regulatory convergence to make spoofing harder to perpetrate and easier to investigate.