Two giants in the gaming and hospitality industry, Caesars Entertainment and MGM Resorts, recently announced that they were targeted by cybercriminals. But here’s the catch, both ransomware attacks appear to have started with the use of social engineering tactics against IT helpdesk personnel to gain access to systems.
At the time of writing there is no official confirmation as to who is behind these attacks, or even how the MGM attack occurred, but a cybercriminal group known as Scattered Spider, an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) group, is thought to be responsible for them.
Caesars noted in their SEC filing that the data breach that occurred on September 7 began with “social engineering attacks on an outsourced IT support vendor.” After they gained access to the systems, attackers stole the personal data for a significant number of their loyalty program members.
MGM reported on September 11 that a cybersecurity issue had impacted several of its systems and took action, including shutting down certain systems. As a result, their entire operation was brought to a standstill for several days. According to a post on X by vx-underground, ALPHV allegedly found an employee on LinkedIn and used their information to call MGM’s IT helpdesk to compromise their systems.
Targeting Employees with Cyber Attacks
Social engineering tactics are often used in cyber attacks, especially during their initial stages. It can be easier for cybercriminals to manipulate an organization’s employees into taking some sort of action that furthers the attack, such as downloading malware or giving out sensitive information, than it may be for them to compromise technical defenses.
The key to a successful social engineering attack is to make it believable. Cybercriminals accomplish this through researching their targets. There is an abundance of publicly available information for them to gather on social media and other online sources. This allows social engineers to impersonate employees and make their attacks appear to be legitimate requests.
Yes, phishing attacks will find their way to your email inbox, but social engineers use other communication channels, too…some of which employees may not be expecting. Whatever methods you use to communicate with others, cybercriminals have developed attacks to exploit them. Vishing calls, messages on social media, SMS text messages, and even your organization’s collaboration tools can be used for social engineering attacks.
Defending Against Social Engineering Attacks
Technical defenses are unable to stop all social engineering attacks from occurring. At some point, cybercriminals will contact you by email, social media, phone, or even your organization’s collaboration tools. And the information posted online can help their attacks to appear legitimate.
- Limit the information you share online. Balance the professional reasons for sharing information with the need to protect your personal information. The more information that is available for social engineers to discover about you, the easier it is for them to impersonate you.
- Confirm that requests are legitimate before taking action or sharing information. It’s easy for social engineers to pretend to be anyone when they communicate with you. Take the time to verify requests through another communication channel controlled by your organization.
- Trust your gut. Social engineers take the time to research their targets and make sure that they get the details correct in their communications. Sometimes, the only red flag you may have is that something seems a bit unusual.
It’s important for organizations to protect their systems and sensitive information. But cybercriminals know that, sometimes, the easiest way to gain access is to simply ask.
Learn more about how to prepare and educate your employees to recognize and neutralize social engineering attacks and human error—helping to end cyber risk at your organization.
