SLH Recruits Women for $1,000 IT Help Desk Vishing Attacks

The cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) has shifted its recruitment strategy to focus on a specialized segment of the underground workforce. According to reporting from The Hacker News, the group is offering significant financial incentives—ranging from $500 to $1,000 per call—to recruit women for high-stakes voice phishing (vishing) campaigns. This move represents a calculated effort to increase the success rates of social engineering attacks targeting corporate IT help desks.

The Strategic Pivot to Specialized Vishing

SLH, a group that appears to draw tactical inspiration from predecessors like Scattered Spider and LAPSUS$, recognizes that the human element remains the most vulnerable point in the identity and access management (IAM) chain. By specifically recruiting women for these roles, the group leverages psychological biases that often associate female voices with higher levels of trustworthiness and lower perceived threat levels in customer service and technical support interactions.

Dataminr, which first highlighted this trend in a recent threat brief, indicates that these recruits are tasked with calling IT help desks and impersonating employees who have lost access to their accounts. The objective is to manipulate help desk personnel into resetting passwords, changing registered MFA phone numbers, or issuing new session tokens. The high payout offered per call suggests that SLH is successfully monetizing the initial access they gain, likely through subsequent ransomware deployment or data exfiltration.

Technical Methodology and Target Profiles

The vishing campaigns conducted by SLH are rarely isolated incidents; they are typically part of a broader, multi-stage attack lifecycle. The technical process often follows a specific pattern:

1. Reconnaissance: The group gathers intelligence on target employees via LinkedIn, corporate directories, and previous data breaches to obtain names, employee IDs, and job titles.
2. The Vishing Call: The recruited operative calls the help desk, often using VoIP services or SIM-swapped devices to bypass geographic filters. They present a plausible story, such as a broken device or an urgent deadline, to create a sense of pressure.
3. Bypassing MFA: Once the help desk agent is convinced of the caller’s identity, the attacker requests a change to the account’s MFA settings. This might involve enrolling a new physical security key or, more commonly, redirecting SMS-based OTPs to a controlled device.
4. Lateral Movement: With valid credentials and bypassed MFA, the threat actors gain access to the corporate VPN or Single Sign-On (SSO) portal, allowing them to move laterally through the network.

Implications for Enterprise Security

The professionalization of vishing recruitment signals a dangerous trend where cybercriminal organizations operate like illicit staffing agencies. By offering high upfront payments, SLH can attract individuals who may not have deep technical skills but possess the linguistic and social skills necessary to deceive experienced IT staff. This lowers the barrier to entry for executing high-impact breaches against well-defended organizations.

Furthermore, this tactic highlights the limitations of traditional ‘knowledge-based’ authentication. If an attacker can obtain an employee’s date of birth or manager’s name through OSINT, a help desk agent relying on those facts as proof of identity is easily compromised.

Recommended Mitigations

To counter the rising threat of specialized vishing, organizations must move beyond simple awareness training and implement structural changes to their identity verification processes:

• Mandatory Identity Verification: Implement a policy where help desk agents must verify identity through a secondary, out-of-band channel that cannot be easily intercepted, such as a video call or a manager-approved push notification via a verified mobile app.
• Eliminate SMS/Voice MFA: Transition the workforce toward hardware-backed authentication (FIDO2/WebAuthn) or certificate-based authentication which is resistant to vishing-induced resets.
• Help Desk Hardening: Train IT support staff specifically on the recruitment tactics used by groups like SLH. Agents should be empowered to escalate or deny requests that involve high-risk changes (like MFA resets) without a rigorous verification protocol.
• Monitoring and Alerting: Establish monitoring for ‘impossible travel’ logins or sudden MFA device changes, particularly when preceded by a ticket in the IT service management (ITSM) system.