The cybercrime syndicate Scattered LAPSUS$ Hunters (SLH) is reportedly offering monetary incentives to recruit women for their vishing campaigns targeting IT help desks. According to Dataminr, this move is designed to enhance the effectiveness of their social engineering tactics by utilizing female voices to impersonate employees.
Financial Incentives and Recruitment
SLH is known to offer between $500 and $1,000 per call to women, along with providing them with pre-written scripts to execute the phishing attacks. This strategy appears to be a deliberate attempt to diversify their social engineering tactics and increase the success rate of their impersonations.
The group, which includes members from LAPSUS$, Scattered Spider, and ShinyHunters, has a history of sophisticated social engineering techniques that bypass multi-factor authentication (MFA) through methods such as MFA prompt bombing and SIM swapping.
Modus Operandi of SLH
SLH targets IT help desks and call centers, posing as employees to trick them into resetting passwords or installing remote access tools. Once initial access is acquired, Scattered Spider is known to move laterally within virtual environments, escalate privileges, and extract sensitive corporate information.
Some attacks have escalated to deploying ransomware. The group uses legitimate services and residential proxy networks like Luminati and OxyLabs to avoid detection, and employs tools such as Ngrok, Teleport, and various file-sharing services.
Strategic Use of Tools and Techniques
A report by Palo Alto Networks Unit 42, tracking Scattered Spider as Muddled Libra, highlights their skill in exploiting human psychology by impersonating employees to reset passwords and MFA.
In one instance, the group created a virtual machine after obtaining credentials, using it for reconnaissance and attempting to extract data from the target’s systems. They have a notable history of targeting Microsoft Azure, using tools like ADRecon for cloud resource access.
Defense Measures and Recommendations
Organizations are advised to be vigilant and train IT support personnel to recognize pre-written scripts and polished impersonation attempts. Strengthening identity verification methods and moving away from SMS-based MFA are recommended to thwart these attacks.
Dataminr emphasizes that this recruitment strategy marks an evolution in SLH’s tactics, likely aiming to bypass traditional attacker profiles and improve impersonation success rates.
