https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers
ShinyHunters has targeted around 100 organisations in its latest Okta single sign-on credential stealing campaign using evolved voice-phishing techniques to compromise SSO credentials and enroll threat actor controlled devices into victim multi-factor authentication solutions, according to Silent Push researchers and Google’s Mandiant team. The identity-theft operation focused on high-value enterprises across multiple industries, with technology and software firms including Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral, and ZoomInfo among the targeted organisations listed by Silent Push. Silent Push clarified that detection of active targeting or infrastructure preparation does not confirm successful breaches, stating the firm has no intelligence on specific successful attacks but believes all listed organisations have been targeted.
Google’s Mandiant confirmed tracking the new ongoing ShinyHunters-branded campaign, noting that after gaining initial access the actors pivot into SaaS environments to exfiltrate sensitive data, with an actor identifying as ShinyHunters approaching some victim organisations with extortion demands.
The campaign came to light last week after Okta issued an alert about criminals voice-phishing for SSO credentials to target organisational accounts, with ShinyHunters subsequently confirming that it was behind the operation and had gained access to Crunchbase and Betterment by voice-phishing their Okta single sign-on codes. The criminal group leaked what they claimed to be more than 20 million records belonging to Betterment and 2 million belonging to Crunchbase, demonstrating the scale and impact of successful compromises within this campaign. It’s important to remember that these identity attacks are not caused by security flaws in the products or infrastructure themselves, but rather exploit human vulnerabilities through social engineering tactics that bypass traditional authentication protections.