Women for vishing: SLH's new trick to violate support departments

A new turn in the tactics of cybercriminals replaces security teams on guard: according to a recent report, the collective known as Scattered LAPSUS $Hunters (SLH) would be deliberately recruiting women to conduct vishing campaigns for technical support departments, offering $500 and $1,000 per call and providing scripts already prepared to deceive operators. The intelligence firm Dataminr described this initiative as a commitment to diversify and refine its "social staff" in order to increase the chances of success by supplanting employees to help centres according to his report.

Behind the acronym SLH is an amalgam of actors who have already demonstrated their ability to exploit human and technological weaknesses. Groups such as LAPSUS $, Scattered Spider and ShinyHunters have been linked to each other in operations that combine convincing calls, highly worked social engineering and techniques for drawing multiple authentication. The strategy is simple in its approach: to get help desk staff to re-establish credentials or install a remote access tool (RMM), opening the door to side movements, lifting privileges and massive data theft, even with posterior deployment of ansomware.

The analysts who follow these actors point out that they are not limited to gross phone supplanting. To camouflage their activity and avoid alarms, they use legitimate services and residential proxies networks - mechanisms that allow them to mix their traffic with "normal" traffic - and use tunnels and public file exchange services to exfilter information. Tools such as Ngrok, Teleport and temporary storage services have appeared in the investigations, as well as commercial proxies platforms that make it difficult to track the attacker's infrastructure. A more detailed technical profile of these practices can be found in specialized analyses such as Team Cymru.

The ability of these groups to exploit the human factor has led to cyber-security signatures such as Palo Alto Networks Unit 42 publishing follow-up in which they describe Scattered Spider (followed by Unit 42 under the name "Muddled Libra") as an actor very skilled in manipulating human psychology. Unit 42 has documented cases in which, after obtaining privileged credentials via telephone, attackers create virtual machines for the recognition of Active Directory and for the removal of mail boxes or data from cloud platforms such as Snowflake; operations that combine supplanting with lateral motion techniques and silent exfiltration. Your technical dossier and recommendations are available in the playbook published by Unit 42 Here. and in other documents where you explain how to track these threats through cloud records Here..

A recurring technical facet in these attacks is the search for ways to avoid multifactor authentication (MFA). Practices such as "prompt pumping" - saturate MFA notifications until a user clicks to accept by error - and SIM exchange are tools in the arsenal of these groups. In order to better understand this technique and its impact on the defence, there are detailed explanations in specialized resources such as the Silverfort.

In the face of this development, security teams and technical support departments must look beyond purely technological solutions. Training and procedures are key parts: help desk staff need to be prepared to detect prepared scripts, very polished calls and techniques to create rapid confidence. At the same time, organizations have to tighten their access policies: to abandon the factors based on SMS messages by phishing-resistant methods, to implement strict controls for the creation of administrative accounts, and to systematically audit any increased privileges after a telephone interaction.

Technical controls complement training. Cloud log monitoring can allow you to detect abnormal movements after a call to the support; limit the possibility of installing RMM tools without prior approval reduces commitment vectors; and use of phishing- resistant authentication, such as FIDO2 keys or certificate-based solutions, drastically reduces the effectiveness of suplanting attempts. Government agencies and response centres recommend combining awareness-raising measures with robust identity configurations: NIST's guidelines on digital identity provide frameworks for designing MFA and identity verification policies Consultable here and CERT / CISA maintains practical advice on how to identify and mitigate social engineering techniques available here.

It is not just a question of lifting technical barriers: labour market pressure and the supply of economic rewards per call create an environment where social engineering is professionalized and diversified. Dataminr interprets this recruitment focused on female voices as a calculated strategy to overcome stereotypes and bias in human detection, making it more difficult for operators to distinguish a legitimate application from a malicious operation. This adaptation is a call for attention: attackers not only innovate in code, but also in human and logistical tactics.

The conclusion is clear and, unfortunately, predictable: modern security requires a combination of sustained training, rigorous processes and technologies that reduce reliance on voice or SMS verification. Follow the research and guidelines of intelligence companies and research centres - such as Unit 42 or notices of Dataminr- helps to understand the pattern and, above all, to design practical responses that reduce the attack surface of these groups.

If your organization is dependent on phone support equipment, it is right now it is appropriate to review who can approve critical changes, how the identity of the caller is validated and what signs in the records can give out a suplantation. The threat is real and evolving; the best response is to anticipate with training, procedures and technical controls that make this commitment to recruiting human voices no longer cost-effective for the attackers.