An ongoing data extortion campaign targeting Salesforce customers could soon turn its attention to financial services firms, security experts have warned.
The notorious ShinyHunters group has been blamed for a series of data breaches impacting big names in the fashion (LVMH, Chanel, Pandora, Adidas) and aviation (Qantas, Air France-KLM) sectors. These victims are typically targeted with vishing for logins to their Salesforce accounts and are sometimes also tricked into downloading a malicious app for similar purposes.
However, ReliaQuest said today that its analysis of phishing domain names used in the group’s attacks points to a shift in targets.
Read more on ShinyHunters: Google Among Victims in Ongoing Salesforce Data Theft Campaign
“Since July 2025, domain registrations targeting financial companies have increased by 12%, while targeting of technology firms has decreased by 5%,” the threat intelligence firm said.
“This shift suggests that financially motivated groups like ShinyHunters are now prioritizing banks, insurance companies and financial services, though technology and professional services remain at high risk due to the value of the data and access they provide.”
Some 700 of these domains have been registered in 2025, indicating the scale of the campaign.
Are ShinyHunters and Scattered Spider the Same?
Additionally, many, such as “company-okta[.]com” and “companyname-my-salesforce[.]com” match the same format as those used by the infamous Scattered Spider collective, said ReliaQuest. Many also share the same registry details, suggesting the groups are connected.
The theory is backed by the appearance last year on BreachForums of a user calling themselves “Sp1d3rhunters,” who has reportedly claimed the two groups “are the same.”
Both have ties to a nebulous movement dubbed “The Com,” which is characterized by English speaking teens and young adults, usually male, who have also veered into violence for hire, sextortion and online child abuse.
The key for corporate security teams keen to avoid becoming the next victim is to focus on tactics, techniques and procedures (TTPs) rather than which group may be doing the attacking, said ReliaQuest.
“Threat actors constantly rotate infrastructure, change names, and adapt their TTPs to evade detection and maximize impact. As a result, tracking the behavioral patterns and evolving TTPs behind these campaigns is far more valuable than focusing solely on indicators of compromise (IOCs) or attribution,” it argued.
“For security leaders, understanding this fluid and persistent threat landscape is critical to anticipating future attacks and making informed decisions about security strategy and resource allocation.”
No tags.
