MGM hackers turn their focus to the financial sector, targeting multiple companies and using social engineering techniques.
MGM Hackers Target Financial Sector, Compromising Insurance Companies
MGM hackers from last year, known as Scattered Spider, have shifted their focus to the financial sector, targeting 29 companies since April 20. Resilience Cyber Insurance Solutions, a cybersecurity risk company, has been monitoring the group’s activities online and has confirmed that at least two insurance companies have had their systems compromised. The recent campaign by Scattered Spider included targeting Visa Inc., PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co., and Synchrony Financial. It is unclear whether the group successfully gained access to any of these companies.
According to researchers at Resilience, Scattered Spider employed a tactic of purchasing lookalike domains that matched the names of their target companies. They then used these domains to host fake log-in pages, which were intended to misdirect employees in the sector. Phishing links were sent via emails and text messages, directing employees to these bogus pages. The pages were branded as Okta Inc. or as content management services, allowing the hackers to steal user credentials. For those who visited the fake pages, a link labeled “need help signing in” redirected them to a domain run by Scattered Spider, which was labeled with racist words or phrases.
Okta, the company whose branding was used on the fake log-in pages, has been actively tracking Scattered Spider’s activities and notifying customers when fake log-in pages are identified. The company has also introduced new security features to mitigate the group’s tactics, including phishing-resistant authentication and additional security checks for sensitive log-ins.
Scattered Spider has been operating at an incredible speed, targeting multiple companies with social engineering techniques. The group emerged in May 2022 and has been accused of orchestrating high-profile hacks, including those against MGM, Caesars Entertainment Inc., Coinbase Global Inc., and Clorox Co. These hacks led to a shortage of cleaning supplies in the US. The group often tricks call center employees and IT help desk staffers into giving up passwords and sensitive information. They impersonate other company employees on phone calls, sometimes resorting to threats of termination.
Between December and February, Scattered Spider’s criminal activities decreased, but the reasons behind this decline are unknown. It is unclear whether the group was lying low during the holidays, attempting to avoid the spotlight, or preparing for a new campaign. The group, also known as Star Fraud, is composed of teenage and young adult hackers from the US and UK, drawn from a larger criminal underground known as The Com. While their initial focus was on telecommunications companies, they have since broadened their targets to include sectors such as food, retail, video games, banking, and insurance.
CrowdStrike Holdings Inc., a cybersecurity firm, has tracked 52 breaches by Scattered Spider through October 2023. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have repeatedly appealed for information about the group’s activities, identities, and whereabouts.