May 8, 2024

Hackers Behind MGM Attack Targeting Financial Sector in New Campaign

Katrina Manson, Bloomberg News

A lion statue at the MGM Grand Hotel and Casino in Las Vegas.

, Bloomberg

(Bloomberg) -- The hacking group accused of disrupting casinos and hotels at MGM Resorts International last year is engaged in a new campaign targeting banks and insurance companies, according to cybersecurity researchers.

The group, known as Scattered Spider, has targeted 29 companies since April 20 and successfully compromised the systems of at least two insurance companies, according to Resilience Cyber Insurance Solutions, a cybersecurity risk company whose researchers have been tracking the group’s activities online.

In the recent campaign, Scattered Spider targeted Visa Inc., PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co. and Synchrony Financial, according to a senior threat researcher at Resilience, who didn’t want to be named due to security concerns. It wasn’t clear if the group successfully gained access to any of those companies, the researcher said.

Representatives at Transamerica and Synchrony declined to comment, while spokespeople for Visa, PNC and New York Life didn’t respond to requests for comment. The researcher declined to name the two companies in the insurance sector that were successfully breached.

Resilience researchers said the attackers purchased lookalike domains that match the names of these target companies. They then used them to host fake log-in pages intended to misdirect them, sending phishing links via emails and text messages to employees in the sector directing them to the bogus pages, according to research from Resilience. Those pages are branded as Okta Inc., or as content management services, that enable the hackers to steal the user’s credentials.

For people who visit the fake pages, a link for those who “need help signing in” misdirects them to a domain labeled with racist epithets run by Scattered Spider, according to the research.

Kyrk Storer, a spokesperson for Okta, said the company has been tracking ongoing threat activity from Scattered Spider and “proactively notifying customers when we identify fake log-in pages like these.” The company recently introduced new security features to mitigate the group’s tactics, including phishing-resistant authentication and safeguarding sensitive log-ins with additional security checks, Storer said.

The group is working at incredible speed, targeting multiple companies with social engineering techniques seen most recently on May 6, according to the senior threat researcher at Resilience.

Scattered Spider, an amorphous group that cybersecurity researchers say emerged in May 2022, has been accused of orchestrating a spate of high-profile hacks in the second half of last year, including those against MGM and Caesars Entertainment Inc., as well as cryptocurrency trading platform Coinbase Global Inc. and manufacturer Clorox Co., which led to a shortage of cleaning supplies on shelves across the US.

Read More: Casino Hackers Use Low-Tech Tricks to Exploit Corporate Networks

The hackers often trick call center employees and IT help desk staffers into giving up passwords and sensitive information, according to researchers. The attackers impersonate other company employees on phone calls, sometimes by threatening to have targets fired.

The group’s criminal activities fell off between December and February, according to Resilience researchers, who didn’t know whether that might be related to the holidays, attempting to lie low as the spotlight has increasingly fallen on them or seeking to develop a set of targets for a new campaign.

The group calls itself Star Fraud and is comprised of teenage and young adult hackers in the US and UK drawn from a larger criminal underground known as The Com, according to Resilience’s research. While the group originally focused on telecommunications companies, they have in 2024 broadened their focus to many more sectors, including food, retail and video games, as well as banking and insurance, the Resilience researchers say.

The cybersecurity firm CrowdStrike Holdings Inc., which named the group Scattered Spider, said it has tracked 52 breaches by the group through October 2023.

The FBI and the Cybersecurity and Infrastructure Security Agency, known as CISA, have repeatedly appealed for information about the activities, identities and whereabouts of members of Scattered Spider.

The FBI and CISA didn’t immediately respond to requests for comment.

(Updates with additional information in fifth paragraph.)