{"id":237905,"date":"2026-05-01T10:26:00","date_gmt":"2026-05-01T14:26:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/01\/cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks\/"},"modified":"2026-05-01T12:05:09","modified_gmt":"2026-05-01T16:05:09","slug":"cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/01\/cybercrime-groups-using-vishing-and-sso-abuse-in-rapid-saas-extortion-attacks\/","title":{"rendered":"Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks"},"content":{"rendered":"

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/cybercrime-groups-using-vishing-and-sso.html<\/a><\/p>\n

Publish Date: 2026-05-01 10:26:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802May 01, 2026<\/span><\/span><\/p>\n

Cybersecurity researchers are warning of two cybercrime groups that are carrying out “rapid, high-impact attacks” operating almost within the confines of SaaS environments, while leaving minimal traces of their actions.<\/p>\n

The clusters, Cordial Spider<\/strong> (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider<\/strong> (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com.<\/p>\n

“In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,” CrowdStrike’s Counter Adversary Operations said in a report.<\/p>\n

“By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.”<\/p>\n

In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages.<\/p>\n\n\n\n
\"\"<\/td>\n<\/tr>\n
Snarky Spider begins exfiltration in under an hour<\/td>\n<\/tr>\n<\/table>\n

As recently as last week, Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks https:\/\/thehackernews.com\/2026\/05\/cybercrime-groups-using-vishing-and-sso.html Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":237906,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4FSyjacFNJX32YMLQvN6jUeVwGJfoAHPLMIhtU6aNS6hrkIUokynaWWzqxOjr1JsP0lIooaL0ppYM-iQ_rEH2ruoqMw1UAb_bq4FNjI16P6P7CpTaYSkJtp-TpCFKOce9ODtmzskcTZnuWFLYyUdfA0UeHqmRVVNB1P6Mw28a5Yuc7T1kgEx4Pcyxbcsr\/s1600\/vishing.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,25],"class_list":["post-237905","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237905"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=237905"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237905\/revisions"}],"predecessor-version":[{"id":237907,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237905\/revisions\/237907"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/237906"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=237905"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=237905"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=237905"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}