ShinyHunters Exploit SSO Weaknesses in Real-Time Vishing Attacks

A wave of voice phishing attacks is giving cybercrime groups direct access to corporate systems protected by single sign-on and multifactor authentication. The method combines phone calls with phishing infrastructure that imitates trusted login pages, guiding victims step by step as they approve access.

A group using the ShinyHunters name has claimed involvement, leaked stolen data, and contacted organizations with payment demands.

Threat researchers from Mandiant, Okta, and Sophos describe a campaign that depends on tight coordination and precise timing.

Attackers register domains that closely resemble legitimate SSO portals, then place calls while controlling what appears in the victim’s browser. Once access is gained, cloud applications and SaaS platforms become the next target, leading to data theft, extortion, and follow-on abuse such as fraudulent messages sent to customers.

Why It Matters: Identity systems are being used exactly as designed, just under the attacker’s control. The campaign shows how persuasion and timing can turn strong authentication into an entry point for compromise.

• Live Phone Calls Drive Authentication Abuse: The defining feature of this campaign is the live interaction. Attackers stay on the phone while victims visit spoofed SSO pages, then prompt them to enter credentials or approve MFA requests on cue. This coordination removes the hesitation often seen in email-only phishing attempts.

• Campaign Tracked as Active and Ongoing: Mandiant says the activity linked to the ShinyHunters name is continuing and evolving, with attackers enrolling their own devices into victim MFA systems. That step allows continued access after the initial login and speeds up movement into SaaS environments where sensitive data is stored.

• Phishing Kits Built for Identity Imitation: Okta researchers have identified multiple kits designed for voice phishing operators. These kits include panels that replicate sign-in flows for Okta, Microsoft, Google, and cryptocurrency services, allowing operators to switch targets and tailor attacks with minimal effort.

• Confirmed Data Theft and Extortion Pressure: SoundCloud disclosed that personal data tied to roughly 36 million users was taken during a breach discovered in December. Betterment reported unauthorized system access through social engineering and a follow-up scam that pushed fake cryptocurrency offers to customers. In several cases, attackers followed access with ransom demands.

• Wide Target Pool and Uncertain Attribution: Sophos has tracked about 150 domains connected to this activity, many themed around SSO services and aimed at organizations in finance, education, energy, retail, and real estate. Researchers caution that the ShinyHunters’ name alone does not confirm authorship, since cybercrime actors frequently reuse well-known identities.

Go Deeper -> A new wave of ‘vishing’ attacks is breaking into SSO accounts in real time – CyberScoop