Hackers behind MGM are attacking the financial sector in a new campaign

(Bloomberg) — The hacking group accused of disrupting casinos and hotels at MGM Resorts International last year is involved in a new campaign against banks and insurance companies, according to cybersecurity researchers.

Most read by Bloomberg

The group, known as the Scattered Spider, has targeted 29 companies since April 20 and successfully compromised the systems of at least two insurance companies, according to Resilience Cyber ​​Insurance Solutions, a cybersecurity risk firm whose researchers have tracked the group’s activities online.

In the most recent campaign, Scattered Spider targeted Visa Inc., PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co. and Synchrony Financial, according to a senior threat researcher at Resilience who did not want to be named due to security concerns. It is not clear whether the group managed to gain access to any of these companies, the researcher said.

Representatives for Transamerica and Synchrony declined to comment, while spokespeople for Visa, PNC and New York Life did not respond to requests for comment. The researcher declined to name the two companies in the insurance sector that were successfully hacked.

Resilience researchers said the attackers purchased lookalike domains that matched the names of these target companies. They then used them to host fake login pages designed to mislead them by sending phishing links via email and text messages to employees in the industry, who redirected them to the fake pages, according to an investigation by Resilience . These sites are referred to as Okta Inc. or content management services that allow the hackers to steal the user’s login credentials.

People who visit the fake sites are mistakenly redirected to a domain containing racist epithets and operated by Scattered Spider via a link for those who “need help logging in,” according to the investigation.

Kyrk Storer, an Okta spokesman, said the company has been tracking ongoing Scattered Spider threat activity and “proactively notifies customers when we detect fake login pages like this one.” The company recently introduced new security features to mitigate the group’s tactics, including phishing-resistant authentication and protecting sensitive logins with additional security checks, Storer said.

According to Resilience’s lead threat researcher, the group is operating at incredible speed, targeting multiple companies using social engineering techniques that were last seen on May 6th.

The story goes on

Scattered Spider, an amorphous group that cybersecurity researchers say emerged in May 2022, has been accused of organizing a series of high-profile hacks in the second half of last year, including those against MGM and Caesars Entertainment Inc., as well as the cryptocurrency trading platform Coinbase Global Inc. and manufacturer Clorox Co., which led to a shortage of cleaning products on shelves across the United States.

Read more: Casino hackers use low-tech tricks to exploit corporate networks

According to the researchers, the hackers often trick call center employees and IT help desk workers into revealing passwords and sensitive information. During telephone calls, the attackers pose as other employees of the company and sometimes threaten to shoot targets.

According to Resilience researchers, the group’s criminal activity declined between December and February. However, they didn’t know if this was related to the holidays, an attempt to keep a low profile as they have increasingly come into the spotlight, or an attempt to develop a set of goals for a new campaign.

The group calls itself Star Fraud and, according to Resilience’s research, is made up of teenage and young adult hackers in the US and UK who come from a larger criminal underground called The Com. While the group initially focused on telecommunications companies, it has expanded its focus to many more sectors in 2024, including food, retail and video games, as well as banking and insurance, the resilience researchers say.

Cybersecurity firm CrowdStrike Holdings Inc., which called the group Scattered Spider, said it had tracked 52 of the group’s breaches as of October 2023.

The FBI and the Cybersecurity and Infrastructure Security Agency, known as CISA, have repeatedly requested information about the activities, identities and whereabouts of Scattered Spider members.

The FBI and CISA did not immediately respond to requests for comment.

(Updates with additional information in fifth paragraph.)

Most read by Bloomberg Businessweek

©2024 Bloomberg LP