That IT Support Call Is Actually Hackers Stealing Your Company's Data in Real Time

Your phone rings. The caller says they're from IT support. There's been suspicious activity on your account, and they need you to verify your credentials right away. They direct you to what looks like your company's login portal.

You enter your username, password, and the MFA code from your authenticator app. On the other end of the line, the attacker watches your credentials appear in real time on their control panel. Before you've even hung up, they're already logged into your account.

This is how the ShinyHunters extortion gang is breaching companies right now. And they've confirmed to security researchers that they're behind the attacks.

How the Attack Works

ShinyHunters uses a sophisticated combination of voice phishing and real time credential harvesting that defeats most security measures.

The attackers start with information stolen from previous data breaches. They know employees' names, phone numbers, job titles, and which platforms their companies use. This makes their impersonation of IT support convincing.

When they call, they direct victims to phishing pages that perfectly mimic legitimate SSO login portals for services like Okta, Microsoft Entra (formerly Azure AD), and Google Workspace.

Unlike static phishing pages, these sites are controlled by web based panels that let attackers modify what appears on screen in real time. If the victim hesitates or seems confused, the attacker can display new prompts or instructions while still on the call.

Most critically, the system captures MFA codes as victims enter them. Because the attacker uses the credentials immediately, within seconds of capture, even time based one time passwords (TOTP) are still valid. The entire authentication happens while the victim believes they're verifying their account with IT.

What Access They Gain

SSO credentials are master keys to corporate infrastructure. A single compromised account can provide access to every connected service.

Platforms at risk include:

• Salesforce (customer data, contracts, communications)
• Microsoft 365 (email, documents, SharePoint)
• Google Workspace (email, Drive, calendar)
• Dropbox (shared files and folders)
• Slack and Microsoft Teams (internal communications)
• Atlassian (Jira, Confluence, development workflows)
• SAP and other business systems

Once inside, ShinyHunters browses connected applications and systematically harvests data. They then contact the company with extortion demands, threatening to leak or sell the stolen information.

Confirmed Victims

Several major companies have already confirmed breaches linked to this campaign:

SoundCloud: The streaming platform disclosed in December 2025 that attackers accessed data belonging to approximately 20% of its users, roughly 28 million people.

Crunchbase: The market intelligence company confirmed that "a threat actor exfiltrated certain documents" from their systems.

Betterment: The financial technology firm was breached, with compromised accounts subsequently abused for cryptocurrency scams targeting customers.

ShinyHunters has leaked data from these breaches and sent extortion demands to multiple additional companies. The full scope of victims remains unknown.

Connection to Scattered Spider

Security researchers believe ShinyHunters is closely connected to Scattered Spider, another notorious cybercrime group known for similar voice phishing attacks.

Scattered Spider was behind the devastating 2023 attacks on MGM Resorts and Caesars Entertainment that caused hundreds of millions in damages. The group recruits young, often native English speaking hackers who can convincingly impersonate IT staff.

The evolution from scripted pretexts to adaptive, real time phishing illustrates how voice based intrusions are being scaled and professionalized within the criminal ecosystem.

Why MFA Doesn't Stop This

Multi factor authentication is designed to protect against password theft, but it wasn't built for real time attacks where the attacker uses credentials immediately.

When you enter your MFA code on a phishing page, the attacker captures it and enters it on the real login page within seconds. The code is still valid, the session is established, and the attacker is in.

Even push notification based MFA can be defeated. Attackers simply wait for the victim to approve the prompt, which they've been socially engineered to expect as part of the "verification process."

Only phishing resistant MFA methods like hardware security keys (FIDO2/WebAuthn) are immune to these attacks, because they cryptographically verify the authenticity of the site requesting credentials.

How to Protect Your Organization

For security teams:

• Deploy hardware security keys for all employees with access to sensitive systems
• Establish clear policies that IT will never call employees asking for credentials
• Implement callback verification: if someone claims to be IT, hang up and call the official helpdesk number
• Monitor for unusual SSO login patterns, especially logins from new locations immediately after phone calls
• Review which applications are connected to your SSO and remove unnecessary integrations

For employees:

• Never enter credentials on a page you reached through a link in a call, email, or message
• If IT calls you, hang up and call them back through the official directory
• Be suspicious of urgency, legitimate IT departments don't pressure you to act immediately
• Report suspicious calls to your security team, even if you didn't fall for them

The Uncomfortable Reality

Voice phishing works because humans are the weakest link. No amount of technical security can fully protect against an employee who believes they're talking to IT support and willingly provides their credentials.

ShinyHunters understands this. By combining stolen personal information with real time phishing capabilities and professional social engineering, they've built an attack that bypasses most corporate defenses.

The next call claiming to be from IT support might be exactly what it seems. Or it might be the beginning of a breach that exposes your entire company's data. The only reliable defense is verification, and a healthy skepticism of anyone asking for your credentials, no matter how legitimate they sound.