BlackFile is conducting ongoing voice‑phishing and social engineering campaigns by impersonating IT support to steal credentials and gain persistent access to corporate environments. The group targets multiple industries and leverages phishing pages, executive account compromise, and data‑leak sites to extort seven‑figure ransoms #BlackFile #CordialSpider
Keypoints
- BlackFile impersonates IT support in voice‑phishing and social engineering to obtain credentials.
- The group, linked to The Com and tracked as CL-CRI-1116/UNC6671/Cordial Spider, targets retail, hospitality, healthcare, technology, transportation, logistics and wholesale.
- Attackers use phishing pages that mimic corporate SSO, scrape employee directories, compromise executives, and sometimes swat personnel to increase leverage.
- They exfiltrate data from SaaS platforms and APIs—including Microsoft Graph, Salesforce and SharePoint—and publish data‑leak sites to extort victims with seven‑figure demands.
- Unit 42 and RH-ISAC advise enforcing multi-factor caller verification and limiting IT support actions without managerial escalation.
Read More: https://cyberscoop.com/blackfile-data-theft-extortion-retail-unit-42-rh-isac/