Shiny lures, sharp teeth: How to outsmart ShinyHunters

In this post, we’ll cover the threat posed by ShinyHunters, the cybercrime group behind several recent attacks. We’ll share how they operate and how your people can spot them. ShinyHunters is known for collaborating with other threat actors, such as Scattered Spider, in large-scale data breaches and supply chain attacks, leveraging sophisticated social engineering campaigns and phishing attacks to gain initial access. They often exploit vulnerabilities, conduct phishing attacks, and use social engineering techniques to achieve initial access to internal systems and salesforce environments.

The threat: Who are ShinyHunters?

ShinyHunters is a cybercrime group known for breaching high-profile organizations and selling their stolen customer data on the dark web. ShinyHunters and other threat groups often target cloud storage and web services to gain unauthorized access to sensitive data, including Salesforce data and source code. The impact of these breaches includes the exposure of sensitive customer data, hashed passwords, passwords stored, and source code, leading to data extortion and financial gain for threat actor groups. ShinyHunters is known for claiming responsibility for high-profile data breaches, and affected companies must monitor for stolen information and exfiltrate data.

They’ve been linked to breaches at companies like Ticketmaster, Santander, and Google by exploiting CRM systems like Salesforce and Workday. Their calling card: sophisticated social engineering paired with opportunistic targeting of big datasets.

Targeted cohorts

The best targets for ShinyHunters are people with access to databases of people, ideally customers. Key targeted cohorts include employees with access to Salesforce or another CRM. High value sectors such as financial institutions, retail sectors, and technology firms are frequently targeted due to their valuable data.

How they operate: Inside the ShinyHunters playbook

ShinyHunters reaches out to your employees from basic data available, such as names, titles, emails, and phone numbers. ShinyHunters use social engineering techniques to trick employees, including voice phishing (vishing), phone calls, phishing page tactics, and deploying a malicious version of legitimate tools, such as a malicious version of the Salesforce data loader or ticket portal. They impersonate a trusted person from HR, IT, payroll, or vendors and make an urgent request or pretext (e.g., “We need this right away”), often using escalating commitment to gain just one extra detail or one configuration tweak. They may also attempt to persuade users to authorize malicious connected apps or interact with phishing domains in Salesforce environments.

How to prevent ShinyHunters attacks

Urge your people to be vigilant about urgent requests, even from known people, and not to take chances. Specifically, they should:

• Not share passwords, MFA codes, or other sensitive information by phone, text, or email.
• Not make system configuration changes when asked to do so remotely.
• Verify requests like this through a trusted channel, or ideally, establish a verification process ahead of time.
• Use phishing simulations to train employees to recognize phishing attacks and social engineering campaigns.
• Protect internal systems and Salesforce data from unauthorized access, and monitor API-enabled permissions.
• Leverage threat intelligence and detection and response solutions to detect attacker access and respond to evolving cyber threats. Regularly reviewing insights from trusted sources like Google Cloud, Mandiant, or CISA can help strengthen threat awareness and response.

What to do if you’re compromised

If your people do fall victim (entirely or part-way), they should:

• Stop interacting (hang up, stop texting)
• Alert security
• Save message or capture screenshots
• Block caller or sender

And you should:

• Review call logs, if applicable
• Notify impacted parties (customers, employees, vendors)
• Trace the entry point (CRM, etc.)
• Monitor for suspicious activity or account compromise
• Update policies
• Deliver targeted employee interventions to avoid repeat incident
• Enhance response capabilities, such as disabling attacker access, monitoring for data exfiltration, and using tools like Salesforce Shield to protect Salesforce environments and manage connected apps.

How Fable Security can help 

Here’s a short, highly-specific video briefing you can download for free and share with your employees.

Get practical guidance to prevent modern social engineering attacks and build resilience across your organization. Then download our Five Must-Haves playbook for additional insights.