A newly surfaced extortion brand called “Pink” is using voice phishing and fake IT support calls to breach organizations, the Register reports. The threat actor may be a rebrand of prior extortion groups, including BlackFile and Redact, though its tactics remain the same.
Palo Alto Networks’s Unit 42 said in a post on Github, “The threat actor leverages vishing for initial access, impersonating internal IT personnel to convince a user to input credentials into a phishing site, allowing the actor to gain access to the victim's account and MFA. After gaining access to the victim's account, the actor rapidly identifies and exfiltrates data from platforms like SharePoint and OneDrive, similar to other Com-affiliated groups. Shortly afterward, the actor leverages a compromised victim account to send their initial extortion email as well as internal Teams messages. The actor reuses second-level domains to target multiple organizations, and the third-level domain typically thematically represents the target. These domains have leveraged DDoS-Guard for hosting.”
The Register notes that criminal gangs frequently go dark before resurfacing under different names, but these groups continue to grow more sophisticated over time.
“Despite multiple arrests across all three gangs, they keep coming back to victimize more organizations,” the Register says. “Most incident responders, including Google’s Mandiant and Unit 42, link many of these criminal collectives to The Com, a loosely knit group of primarily English speakers made up of several interconnected networks of hackers, SIM swappers, and extortionists, with some of its subgroups offering real-life violent crime for hire.”
The Register has the story: Pink is the latest goon squad to use fake helpdesk calls to steal creds
