Scattered Lapsus$ Hunters Target Women in Vishing Attacks
▼ Summary
– The Scattered Lapsus$ Hunters (SLH) hacking group is recruiting women to conduct voice-phishing attacks, offering $500-$1,000 per call with provided scripts.
– SLH is an informal coalition linked to the English-speaking cybercrime network The Com, drawing members from groups like Lapsus$ and Scattered Spider.
– The group is known for sophisticated social engineering, particularly vishing, and for bypassing multi-factor authentication via SIM swapping and phishing kits.
– They have successfully targeted major organizations including Jaguar Land Rover, Adidas, and Qantas by impersonating employees or IT support.
– Cybersecurity advice includes training help desks to expect convincing vishers, enforcing out-of-band verification, and adopting phishing-resistant authentication methods.
A concerning new recruitment trend has emerged within the cybercrime landscape, with the Scattered Lapsus$ Hunters (SLH) collective actively seeking women to conduct voice-phishing operations. Intelligence indicates the group is offering substantial upfront payments, between $500 and $1,000 per call, to female recruits who can convincingly execute social engineering attacks over the phone. This targeted approach represents a strategic shift for a network historically linked to young male actors, aiming to exploit potential biases or assumptions during security interactions.
This informal coalition pulls members from several notorious groups, including Lapsus$, Scattered Spider, and ShinyHunters, all connected to the broader English-speaking cybercrime network known as The Com. While past arrests have predominantly involved young men, the demographic makeup of these groups is fluid. SLH has a proven track record of breaching major corporations like Jaguar Land Rover, Adidas, and Qantas, demonstrating their significant threat level.
The group’s core expertise lies in sophisticated social engineering, particularly vishing attacks designed to circumvent multi-factor authentication (MFA). Their common tactics include SIM swapping, deploying fake single sign-on pages, and MFA prompt bombing to wear down a target’s resistance. A frequent method involves impersonating employees to contact corporate IT help desks, persuading support staff to reset passwords or change MFA credentials. Conversely, they also pose as support personnel to trick employees into installing remote management tools or entering credentials on phishing sites.
Cybersecurity analysts note that these operations are highly coordinated. The phishing pages used are often part of adaptable kits that synchronize the authentication flow in real-time with the narrative of the concurrent phone call, making the scam exceptionally convincing. This level of preparation means that anyone receiving such a call, whether from a man or a woman, will likely be facing a well-rehearsed and persuasive social engineer.
For organizations, this new recruitment drive necessitates immediate action. Security teams should brief IT help desk and support personnel about this specific trend, emphasizing that vishers can be any gender and will sound highly credible. It is critical to enforce strict out-of-band verification procedures. This means that any password reset or MFA change requested via phone must be confirmed through a separate, secure channel, such as a verified video call or an internal secondary verification system.
Where feasible, companies should transition toward phishing-resistant authentication methods like FIDO2 security keys or passkeys, which are far less susceptible to these social engineering schemes. Furthermore, organizations must rigorously audit system logs, paying close attention to any new user creation or administrative privilege escalations that occur shortly after help desk interactions. Proactive monitoring can help detect and contain breaches that slip through initial social engineering defenses.
(Source: HelpNet Security)
