Fast Facts

• ShinyHunters, aka UNC6040, targets Salesforce via phone-based social engineering (“vishing”).
• Google’s own systems were among those compromised by these tactics.
• Attackers pose as support staff, tricking employees into revealing credentials or installing fake tools.
• Stolen login details are used for further attacks on platforms like Okta and Microsoft 365.
• Mandiant recommends live video ID checks and strong multi-factor authentication to counteract these threats.

The Art of the Con: How ShinyHunters Outsmart the Gatekeepers

Imagine a master illusionist who, instead of breaking into a vault, convinces the guards to hand over the keys. That’s the essence of the ShinyHunters’ latest caper, as detailed by Google and Mandiant this week. Rather than hacking code, this group - tracked as UNC6040 - uses old-fashioned persuasion, targeting the human element at the heart of even the most high-tech organizations.

Victims, often employees of multinational corporations, receive phone calls from attackers posing as trusted support personnel. With convincing pretexts and a dash of urgency, the attackers manipulate staff into visiting a rogue version of the Salesforce Data Loader - a legitimate-seeming tool that, once installed, hands the attackers a backstage pass to the company’s most sensitive data. The breach isn’t discovered until months later, when the intruders - sometimes claiming the ShinyHunters name - demand payment to keep stolen data under wraps.

Beyond Salesforce: The Domino Effect of Compromised Credentials

ShinyHunters’ ambition doesn’t stop at Salesforce. Once inside, the attackers hunt for login details that unlock other systems - Okta (for identity management), Microsoft 365 (for email and files), and more. This lateral movement is like finding one open window and using it to unlock every door in the house.

These attacks mirror past social engineering campaigns, such as those by “Scattered Spider,” where attackers use deep knowledge of corporate processes to trick even well-trained employees. According to credible reports from Mandiant and Google’s Threat Intelligence Team, the weakness isn’t the software, but the ease with which attackers can impersonate support staff - especially with so much employee information publicly available on social networks.

Countermeasures: Raising the Bar for Trust

Mandiant’s advice is clear: trust, but verify - and then verify again. Instead of relying on easy-to-find details like birthdays or supervisor names, organizations should implement live video calls for identity verification, requiring employees to show IDs alongside their faces. For sensitive requests, such as resetting multi-factor authentication, out-of-band verification - like calling the employee’s official number or checking with a manager - adds another layer of defense.

For third-party requests, the rules are even stricter: never act on a single phone call. Always confirm through official channels and require verifiable support tickets. Companies are urged to empower employees to report suspicious interactions easily and to deploy robust security tools like single sign-on and phishing-resistant physical keys.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Vishing: Vishing is a phone scam where attackers impersonate trusted entities to steal sensitive information or money through deceptive calls.
• Lateral Movement: Lateral movement is when attackers, after breaching a network, move sideways to access more systems or sensitive data, expanding their control and reach.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.
• Single Sign: Single Sign-On (SSO) lets users access multiple services with one login, simplifying access but increasing risk if credentials are compromised.