BlackFile Group Launches Vishing and Data Extortion Campaign Against Retail and Hospitality

BlackFile Group Launches Vishing and Data Extortion Campaign Against Retail and Hospitality

First seen 28 Apr 2026, 00:34 UTC Infosecurity-MagazineScworldrhisac.org 87% similarity 71.0

Article Content

Browse articles
ThreatCluster

Since February 2026, the BlackFile Group has targeted retail and hospitality sectors, employing vishing attacks to steal employee credentials. Palo Alto Networks' Unit 42 reported that the group uses spoofed VoIP numbers to impersonate IT helpdesk staff, luring victims to phishing pages designed to capture login credentials and one-time passcodes. Once access is gained, attackers register new devices to bypass multi-factor authentication and escalate privileges to executive accounts. They exfiltrate sensitive data from Salesforce and SharePoint, focusing on files marked 'confidential' and containing Social Security Numbers (SSNs). The group demands seven-figure ransoms, sometimes resorting to swatting tactics to pressure victims. Organizations are advised to enhance security policies and conduct regular training to mitigate risks. The attacks have raised significant concerns about data security in these sectors.

Key Points: • BlackFile Group targets retail and hospitality sectors using vishing attacks. • Attackers impersonate IT staff to steal credentials and bypass multi-factor authentication. • Victims face seven-figure ransom demands and potential swatting incidents.

ThreatCluster AI

Timeline

2026-02-01
BlackFile Group begins targeting retail and hospitality sectors
2026-04-23
Palo Alto Networks and RH-ISAC publish report on BlackFile attacks
2026-04-27
Articles published detailing BlackFile's vishing and extortion tactics

Community

Browse all →