Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Staff Editor 2026-05-01
Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html

Publish Date: 2026-05-01 10:26:00

Source Domain: thehackernews.com

Ravie LakshmananMay 01, 2026

Cybersecurity researchers are warning of two cybercrime groups that are carrying out “rapid, high-impact attacks” operating almost within the confines of SaaS environments, while leaving minimal traces of their actions.

The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com.

“In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,” CrowdStrike’s Counter Adversary Operations said in a report.

“By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.”

In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages.

Snarky Spider begins exfiltration in under an hour

As recently as last week, Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the…

Source

More Stories

Mountain Rides resolves cybersecurity threat | Transportation

Mountain Rides resolves cybersecurity threat | Transportation

Staff Editor 2026-06-05
NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy