< ciso
brief />
Tag Banner

All news with #vishing tag

30 articles

Helix vishing group targets SharePoint data theft

🔒 A new extortion group dubbed Helix uses vishing, device-code phishing, and MFA abuse to access and exfiltrate files from SharePoint environments. Operators impersonate managers via phone calls and spoofed caller IDs to trick employees into granting access, then register authenticators for persistence and bulk-download content. ReliaQuest links Helix tactics and infrastructure to prior groups like ShinyHunters and BlackFile, and recommends disabling device-code authentication and restricting SharePoint to managed devices.
read more →

Vishing campaign abuses Entra passkey enrollment

🔔 A threat actor is using voice-based fake security calls to trick Microsoft 365 users into enrolling a malicious Entra passkey. The attacker directs victims to realistic phishing pages that mimic the Microsoft enrollment flow and uses an operator-controlled PHP kit to capture credentials and MFA responses in real time. Okta attributes the campaign to O-UNC-066, linked to the extortion group Pink, which targets multiple industries and quickly exfiltrates data after account takeover.
read more →

Shop app abused to deliver callback phishing scams

🛒 Researchers warn that threat actors are abusing Shop, Shopify’s order-tracking app, by adding fake purchase receipts to users' histories to trick them into calling scam phone numbers. Fraudulent receipts impersonate brands like Apple, PayPal, Norton, and McAfee, and aim to collect credentials, payment details, OTPs, or persuade victims to install remote access software. Users are advised to verify charges with their bank rather than call numbers on suspicious receipts.
read more →

Silent Ransom Group Targets U.S. Law Firms Now

🛡️ Mandiant reports the Silent Ransom Group (UNC3753) is targeting U.S. law firms and professional services with invoice-themed phishing followed by voice calls impersonating IT staff. Attackers use callback phishing to trick victims into installing remote support tools like AnyDesk or Zoho Assist, granting access to networks and enabling rapid data theft and extortion. The campaign involves phishing domains, self-destructing messaging, and fast-flux infrastructure to host leak sites.
read more →

Charter Communications breach exposes 4.9M accounts

🔒 The ShinyHunters extortion gang claims to have stolen personal details from 4.9 million Charter Communications accounts after a vishing attack in early April that compromised an employee's Microsoft Entra account. Charter confirmed the incident but says no sensitive PII or CPNI was exfiltrated, while Have I Been Pwned verified leaked records containing names, emails, addresses, phone numbers and some job titles. The group published stolen Salesforce data after a ransom was refused.
read more →

Charter Confirms Breach After ShinyHunters Extortion

🔒 Charter Communications confirmed a data breach after the ShinyHunters extortion group claimed to have stolen millions of customer records. The company says it is notifying authorities and maintains that No sensitive personal information (PI) or CPNI was exfiltrated. ShinyHunters alleges the intrusion began via a vishing attack that compromised an employee's Microsoft Entra account and allowed access to Salesforce data.
read more →

BlackFile (UNC6671): Vishing and SSO extortion campaign

🔐 Google Threat Intelligence Group (GTIG) details UNC6671, operating as "BlackFile," which uses large-scale voice phishing (vishing) and adversary-in-the-middle techniques to bypass MFA and compromise SSO access. The group targets Microsoft 365 and Okta, leveraging Python and PowerShell scripts to automate exfiltration and repurpose valid session cookies to "stream" files. GTIG highlights detection indicators such as python-requests User-Agent mismatches, nonstandard IP infrastructure, and subdomain-based credential-harvesting sites to aid defenders.
read more →

Vishing and SSO Abuse Drive Rapid SaaS Extortion Campaigns

🔒 Cybercrime clusters Cordial Spider and Snarky Spider are executing fast, low-footprint extortion campaigns that rely on vishing and SSO adversary-in-the-middle pages to harvest credentials and MFA codes. After registering devices and suppressing notification emails, attackers pivot directly into SaaS platforms such as Google Workspace, HubSpot, SharePoint, and Salesforce to locate and exfiltrate high-value files. Researchers note heavy use of living-off-the-land techniques and residential proxies to minimize detection.
read more →

Romanian Leader of Swatting Ring Sentenced to 4 Years

🚨 A Romanian national, Thomasz Szabo, was sentenced to four years in U.S. federal prison after pleading guilty to conspiracy and threats involving explosives. Extradited from Romania in November 2024, Szabo led an online swatting community that organized bomb threats and swatting calls beginning in late 2020 and targeting more than 75 public officials, journalists, and religious institutions. The court also ordered three years of supervised release.
read more →

BlackFile Extortion Group Targets Retail and Hospitality

📞 Unit 42 and RH-ISAC report BlackFile has targeted retail and hospitality since Feb 2026, linking activity to CL-CRI-1116 and overlaps with UNC6671/Cordial Spider. The group uses vishing—impersonating IT helpdesks with spoofed VoIP—and phishing pages that mimic corporate SSO, plus antidetect browsers and residential proxies to harvest credentials and OTPs. After access they register devices to bypass MFA, escalate privileges, and exfiltrate data via Salesforce and SharePoint APIs. Recommendations include caller identity checks, strict escalation for IT support, and simulation-based phone-security training.
read more →

ADT Confirms Customer Data Breach After ShinyHunters Threat

🔒 ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employee’s Okta SSO and accessed Salesforce data.
read more →

BlackFile extortion gang targets retail and hospitality

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.
read more →

Caller-as-a-Service Fuels Industrialized Phone Scams

📞 Flare outlines how a mature "Caller-as-a-Service" ecosystem professionalizes vishing by dividing labor across specialists—from data traders to supervised callers—and operating like legitimate call centers. Recruitment ads demand native English, OPSEC, and sometimes live screen-sharing for real-time supervision. Compensation varies (fixed, success-based, hybrid), and payouts can be delayed pending downstream monetization. The result is lower technical barriers, higher efficiency, and increased detection difficulty.
read more →

ATHR: AI Voice Agents Enable Fully Automated Vishing

🔊 A new platform called ATHR automates telephone-oriented attacks by combining AI voice agents and optional human operators to carry out vishing campaigns and harvest credentials across services including Google, Microsoft, and major crypto platforms. Researchers at Abnormal say ATHR bundles email templates, spoofing, WebRTC/Asterisk routing, and per-target customization into a dashboard that controls distribution, calls, and logging. The service is marketed on underground forums for $4,000 plus a commission and greatly lowers the skill barrier for attackers.
read more →

Vishing Leads to Compromise via Microsoft Teams Support

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.
read more →

SLH Offers $500–$1,000 Per Call to Recruit Female Vishing

⚠️ Scattered LAPSUS$ Hunters (SLH) is reportedly paying $500–$1,000 upfront per call to recruit women for voice phishing campaigns against IT help desks, Dataminr says. The group provides pre-written scripts and leverages advanced social engineering techniques, including MFA prompt bombing and SIM swapping, to gain access. Actors then deploy tunneling tools, residential proxies and legitimate file-sharing services to move laterally, escalate privileges, and exfiltrate data, with some intrusions resulting in ransomware.
read more →

Optimizely Confirms Data Breach Following Vishing Attack

📢 Optimizely has confirmed a data breach after attackers used a sophisticated voice‑phishing (vishing) campaign to gain access to some internal systems on or before February 11. The company says the intruders accessed certain CRM records, internal back‑office documents, and basic business contact information but could not escalate privileges, install software, or create backdoors. Optimizely reports no evidence of access to sensitive customer data or personal information beyond business contacts, and business operations remain uninterrupted. It is warning customers to be vigilant for follow‑on phishing attempts leveraging the exposed contact details.
read more →

Taxing times: Top IRS scams to watch for in 2026 season

🔍Tax season 2026 brings a renewed surge in IRS-related scams as fraudsters exploit email, text and phone channels to steal refunds and personal data. Scammers impersonate the IRS, tax preparers or software vendors with spoofed logos, domains and caller IDs, and may demand unusual payments or coax victims into filing fraudulent returns. Watch for phishing/smishing/vishing, W-2 fraud, fake tax credits and dishonest preparers. Protect accounts with MFA, consider an IP PIN, file early and report suspicious messages to phishing@irs.gov.
read more →

Mandiant: ShinyHunters Exploit SSO and Vishing Campaigns

🔒 Mandiant reports a recent wave of ShinyHunters attacks that combine targeted vishing and company‑branded phishing sites to capture SSO credentials and MFA codes. Attackers impersonate IT or helpdesk staff, guide victims through MFA approval or one‑time passcodes in real time, and enroll attacker-controlled MFA devices. With access to Okta, Microsoft Entra, or Google SSO dashboards they pivot into SaaS platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive) to steal and extort cloud data.
read more →

Mandiant: Vishing Campaign Steals MFA to Breach SaaS

📞 Google-owned Mandiant reported an expansion of ShinyHunters-style extortion activity that combines advanced voice phishing with fake credential-harvesting sites to capture SSO credentials and MFA codes to access cloud SaaS environments. The team is tracking multiple clusters (UNC6661, UNC6671, UNC6240) and observed attackers impersonating IT staff, registering attacker-controlled MFA devices, and exfiltrating data from services such as SharePoint and OneDrive. Mandiant recommends strengthening help-desk verification, improving logging and detection, restricting weak authentication methods, and adopting phishing-resistant options like FIDO2 or passkeys.
read more →