Cybercrime groups are combining voice calls with phishing kits to compromise single sign-on credentials in real time, with ShinyHunters-branded attackers already stealing data from multiple organizations and issuing extortion demands.
Multiple cybercrime groups are using custom phishing kits combined with phone calls to trick victims into surrendering their SSO credentials and approving multifactor authentication requests. The attackers register fake domains that mimic legitimate SSO portals, then deploy voice-phishing kits that remotely control what victims see in their browsers while calling them. This synchronization between spoken prompts and authentication screens increases success rates. At least two confirmed victims include SoundCloud, which lost data on approximately 36 million users (20% of its user base), and Betterment, a financial services company breached on January 9th through social engineering.
The current attacks share characteristics with previous ShinyHunters campaigns. Last fall, ShinyHunters abused third-party vendors to gain initial access to multiple company networks, impacting over 700 Salesforce customer environments. The group has established a pattern of exploiting vendor relationships and SSO vulnerabilities to breach organizations at scale.
According to TechRadar, the attacks follow a sophisticated, multi-stage process. Threat actors first profile their victims, researching the applications and IT support phone numbers used by the target organization. They then deploy a customized phishing site and call victims using spoofed company or support phone numbers. During the call, attackers trick victims into visiting the fake phishing site and attempting to log in. The stolen credentials are immediately relayed to the attacker, who uses them to access the legitimate service in real time. If the system presents any form of non-phishing-resistant MFA, attackers can update the phishing site during the active call to prompt users to complete the authentication process.
TechRadar reports that the quality and agility of these phishing kits have made vishing attacks more popular among cybercriminals. Attackers can control what pages victims see in their browsers in perfect synchronization with the instructions they provide over the phone, allowing them to defeat any form of MFA that is not phishing-resistant.
Cynthia Kaiser, senior vice president of Halcyon's ransomware research center, explained, "While these campaigns occur often, the difference here is the amount of success in the recent campaign is slightly higher. That's likely because of the believable content and the use of voice phishing versus just phishing. If you're getting a call and it's personalized and it's changing in real time — that feels believable, that's a different element that people don't necessarily have their guard up for."
Single sign-on (SSO) systems allow users to access multiple applications with one set of credentials. While SSO improves user experience and can enhance security when properly implemented, it also creates a single point of failure. If attackers compromise SSO credentials, they gain access to all connected systems and applications.
Voice phishing, or "vishing," combines social engineering with phone calls to manipulate victims into disclosing sensitive information or performing actions that compromise security.
The success of these voice-phishing attacks demonstrates that even organizations with proper technical safeguards remain vulnerable when attackers effectively manipulate human psychology.
The real-time synchronization between voice calls and browser-controlled authentication screens creates a scenario where even security-aware employees may fall victim. This is dangerous for healthcare organizations handling protected health information, where a single compromised SSO account could provide attackers access to entire patient databases, billing systems, and clinical applications.
The campaign's success rate being "slightly higher" than typical phishing campaigns signals that traditional security awareness training may not prepare employees for this type of personalized, real-time attack. Healthcare organizations must recognize that their identity and access management systems face threats that technical controls alone cannot prevent.
Organizations must use phishing-resistant two-factor authentication to defend against these vishing attacks. According to TechRadar, this includes passkeys or other phishing-resistant 2FA solutions, ideally using multiple methods for redundancy. Healthcare organizations handling protected health information should prioritize implementing these technical controls alongside employee training on vishing tactics and verification procedures for authentication requests.
Compromising SSO credentials gives attackers immediate access to multiple connected systems, making it more efficient than targeting applications one by one.
No, the attacks exploit human behavior rather than technical flaws in SSO platforms or identity provider infrastructure.
Indicators often include unusual MFA enrollments, new device registrations, abnormal login locations, or sudden access to multiple SaaS applications.