{"id":237974,"date":"2026-04-27T04:15:00","date_gmt":"2026-04-27T08:15:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/27\/blackfile-group-targets-retail-and-hospitality-with-vishing-attacks\/"},"modified":"2026-05-01T15:00:13","modified_gmt":"2026-05-01T19:00:13","slug":"blackfile-group-targets-retail-and-hospitality-with-vishing-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/27\/blackfile-group-targets-retail-and-hospitality-with-vishing-attacks\/","title":{"rendered":"BlackFile Group Targets Retail and Hospitality with Vishing Attacks"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/blackfile-group-targets-retail\/\">BlackFile Group Targets Retail and Hospitality with Vishing Attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/blackfile-group-targets-retail\/\">https:\/\/www.infosecurity-magazine.com\/news\/blackfile-group-targets-retail\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-27 04:15:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>Security researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since February 2026.<\/p>\n<p>Palo Alto Networks\u2019 Unit 42 teamed up with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC)\u00a0to publish a new report on April 23, Extortion in the Enterprise: Defending Against BlackFile Attacks.<\/p>\n<p>It detailed financially-motivated activity linked to the activity cluster\u00a0CL-CRI-1116, which the authors said overlaps with public reporting on BlackFile,\u00a0UNC6671\u00a0and\u00a0Cordial Spider, and is likely to be associated with notorious collective \u201cThe Com.\u201d<\/p>\n<p>\u201cThe attackers behind CL-CRI-1116 do not rely on custom malware or tooling,\u201d it explained. \u201cRather, they focus on living off the land through misuse of application programming interfaces (APIs) and other legitimate internal resources.\u201d<\/p>\n<p>Read more on The Com: NCA Singles Out \u201cThe Com\u201d as it Chairs Five Eyes Group<\/p>\n<p>BlackFile typically targets victims through vishing attacks impersonating the IT helpdesk. Spoofed VoIP numbers or fraudulent Caller ID Names are used to hide their true identity and the end goal is credential\/one-time-password theft.<\/p>\n<p>To this end, the threat actors use phishing pages designed to spoof legitimate corporate single sign-on portals.<\/p>\n<p>\u201cThey also utilize antidetect browsers and residential proxies to mask their geographic location and bypass basic IP-based reputation filters,\u201d the report noted.<\/p>\n<h2><strong>From Access to Exfiltration<\/strong><\/h2>\n<p>After they\u2019ve gained physical access to a user\u2019s account via credential phishing, BlackFile often registers a new device in order to bypass multi-factor authentication (MFA) and maintain persistence.<\/p>\n<p>\u201cThe attackers also maintain access by moving laterally from standard employee accounts to high-privileged accounts. They scrape internal employee directories to obtain contact lists for executives,\u201d the report continued.<\/p>\n<p>\u201cBy compromising these senior accounts via&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/blackfile-group-targets-retail\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>BlackFile Group Targets Retail and Hospitality with Vishing Attacks https:\/\/www.infosecurity-magazine.com\/news\/blackfile-group-targets-retail\/ Publish Date: 2026-04-27 04:15:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":237975,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/8f1542b2-a0eb-4b50-b2c1-5f7720d720c4.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,25],"class_list":["post-237974","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237974"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=237974"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237974\/revisions"}],"predecessor-version":[{"id":237976,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237974\/revisions\/237976"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/237975"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=237974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=237974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=237974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}