New BlackFile Extortion Group Linked to Surge of Vishing Attacks

The emergence of BlackFile underscores a shift in cyber‑crime tactics toward voice‑phishing, or vishing, as a primary entry vector. By leveraging spoofed VoIP numbers and fraudulent caller ID, the group convinces employees to disclose passwords and one‑time passcodes on fake corporate portals. This social‑engineering approach mirrors earlier campaigns by groups like ShinyHunters, but BlackFile’s focus on the retail and hospitality sectors—industries that handle large volumes of customer data—has amplified its impact. The linkage to "The Com," a loosely organized network known for recruiting young cybercriminals, suggests a talent pipeline that could sustain and evolve these tactics.

Technically, BlackFile demonstrates a sophisticated understanding of enterprise authentication flows. After capturing credentials, the attackers register new devices to sidestep multifactor authentication, then exploit legitimate API calls to extract data from Salesforce and SharePoint environments. By targeting files labeled "confidential" or containing SSNs, they prioritize high‑value personal and business information. The exfiltrated data is staged on attacker‑controlled servers before being posted to a dark‑web leak site, creating a dual pressure mechanism: public exposure and ransom demands that can reach seven figures. This methodology not only bypasses traditional security alerts but also leverages compromised executive email accounts to deliver extortion notices, complicating detection.

Industry response emphasizes a layered defense strategy. The Retail & Hospitality ISAC recommends tightening call‑handling protocols, enforcing multi‑factor verification for any remote assistance request, and conducting regular, simulation‑based social‑engineering training for frontline staff. Organizations must also monitor for anomalous device registrations and API usage patterns that deviate from normal business processes. As vishing continues to gain traction, integrating voice‑security analytics with existing threat‑intelligence platforms will be crucial. Proactive measures can reduce the likelihood of credential compromise, protect sensitive customer data, and ultimately safeguard against the costly ransom payouts that BlackFile seeks.