Scattered LAPSUS$ Hunters Monetize Vishing: $1,000 Bounties for IT Help Desk Scams

The boundary between cybercrime and the gig economy is blurring, and the latest threat intelligence from Dallas-based Security Arsenal reveals a disturbing new trend. The notorious cybercrime collective Scattered LAPSUS$ Hunters (SLH) is actively recruiting women to conduct voice phishing (vishing) attacks against IT help desks, offering financial bounties of $500 to $1,000 per successful call.

This shift represents a significant evolution in social engineering tactics. Rather than relying solely on traditional cold calling or automated robocalls, threat actors are now financially incentivizing specific demographics to manipulate help desk personnel into bypassing security protocols.

The Anatomy of the Threat

The SLH campaign focuses on the human element of cybersecurity: the IT Help Desk. This function is designed to be helpful and to resolve access issues quickly, making it a prime target for adversaries seeking initial access or credential reset capabilities.

The attack vector follows a predictable but effective playbook:

1. Recruitment: Actors are recruited via underground forums with promises of high pay for low-effort tasks.
2. Targeting: The caller contacts an organization's IT support line, often posing as a distressed employee.
3. The Hook: Using social engineering pretexts—such as being locked out of a critical meeting or needing urgent access to payroll systems—the caller manipulates the technician into performing a password reset or bypassing Multi-Factor Authentication (MFA).
4. Monetization: The SLH group pays the recruit immediately upon verification of a successful reset, effectively crowdsourcing their intrusion efforts.

Why recruit women specifically? Threat actors often manipulate social dynamics. Research and historical data suggest that help desk operators may perceive female callers as less threatening or more trustworthy, particularly in male-dominated technical environments. This bias lowers the defender's guard, increasing the success rate of the social engineering attempt.

Technical Analysis and TTPs

From a tactical perspective, SLH is exploiting the "break-glass" procedures inherent in Identity and Access Management (IAM) systems. While technical controls like MFA are robust, the process flows around them often rely on human judgment.

The primary technical indicators of this attack are not found in network traffic, but in Identity Provider (IdP) logs. SOC analysts should look for:

• Anomalous Reset Velocity: A sudden spike in "Self-Service Password Reset" (SSPR) or "Admin-Initiated" resets.
• Contextual Disconnect: Resets occurring for high-privilege accounts that do not typically generate tickets.
• Geolocation Anomalies: A password reset requested from a new IP or device immediately followed by a successful authentication from a high-risk country.

Detection and Threat Hunting

Defending against vishing requires correlating authentication signals with help desk ticketing systems. Security Arsenal analysts recommend the following queries to hunt for potential SLH activity or similar vishing campaigns.

KQL Query for Microsoft Sentinel

This query correlates failed sign-in attempts (often the pretext for the call) with subsequent administrative password resets.

let FailureWindow = 1h;
SigninLogs
| where ResultType in ("50126", "50053", "50057") // Invalid password, Account locked, Resource not found
| project UserPrincipalName, FailureTime = TimeGenerated, IPAddress, DeviceDetail
| join kind=inner (
    AuditLogs
    | where OperationName has "Reset password"
    | project UserPrincipalName, ResetTime = TimeGenerated, InitiatedBy = tostring(InitiatedBy.user.userPrincipalName), CallerIP = IPAddress
) on UserPrincipalName
| where ResetTime > FailureTime and ResetTime <= FailureWindow + FailureTime
| project UserPrincipalName, FailureTime, ResetTime, IPAddress, CallerIP, InitiatedBy
| extend TimeDelta = ResetTime - FailureTime

PowerShell Script for On-Premises AD Auditing

For organizations using Active Directory on-premises, monitoring Event ID 4724 (An attempt was made to reset an object's password) is critical.

# Get password reset events from the last 24 hours
$Date = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4724; StartTime=$Date} -ErrorAction SilentlyContinue

if ($Events) {
    foreach ($Event in $Events) {
        $EventXML = [xml]$Event.ToXml()
        $SubjectUser = $EventXML.Event.EventData.Data[0].'#text' # Who performed the reset
        $TargetUser = $EventXML.Event.EventData.Data[4].'#text' # Whose password was reset
        
        # Check if the reset was performed by a privileged account (Help Desk usually is)
        Write-Host "[$($Event.TimeCreated)] RESET PERFORMED by: $SubjectUser ON: $TargetUser"
    }
} else {
    Write-Host "No password reset events found in the last 24 hours."
}

Mitigation Strategies

Blocking vishing requires a layered defense that combines technology with strict policy enforcement.

1. Out-of-Band Verification: Implement a policy requiring help desk technicians to verify the user's identity via a second channel (e.g., calling the user back on a known number or a corporate mobile device) before performing a reset.
2. Ticket-Only Resets: Never perform a password reset or MFA bypass without a corresponding, pre-existing ticket in the ITSM system. The ticket must be opened before the reset action.
3. Number Matching MFA: Deploy MFA solutions that use number matching or FIDO2 keys rather than simple push notifications. This makes it harder for attackers to push MFA fatigue attacks on users.
4. Geofencing and Conditional Access: Enforce strict Conditional Access policies that block password resets or access from unknown IP addresses or impossible travel locations.

Conclusion

The SLH recruitment campaign highlights the growing commoditization of cybercrime. By financial incentive to manipulate human psychology, threat actors are bypassing technical firewalls. Security leaders must recognize that the help desk is a new front line in the identity war and equip their staff with the processes and technical validation needed to stop these attacks.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub