Overview
- Google’s Threat Intelligence Group detailed a financially motivated cluster called UNC6783 that targets business process outsourcers and some in‑house helpdesks to steal data for extortion.
- Operators use live‑chat social engineering to push workers to fake Okta login pages on look‑alike domains that mimic Zendesk links, then steal clipboard contents to bypass MFA and enroll attacker devices.
- GTIG also observed fake security update prompts that install remote access malware, followed by ransom demands sent from Proton Mail accounts after data theft.
- An actor using the name Mr. Raccoon claims a breach at an India‑based supplier to Adobe that exposed millions of support tickets, a claim Adobe has not confirmed, with vx‑underground saying signs appear credible.
- Google urges phishing‑resistant MFA such as FIDO2 hardware keys, tighter monitoring of live‑chat interactions, blocking spoofed zendesk‑support domains, auditing new MFA device enrollments, and watching for rogue installers because a single BPO compromise can expose many clients.