MGM Hackers Launch New Campaign Targeting Financial Sector

A hacking group that disrupted MGM Resorts International and Caesars Entertainment casinos has launched a new campaign against banks and insurance companies and has compromised at least two insurance firms, according to researchers.

The Scattered Spider group has targeted 29 companies since 20 April, including Visa, PNC Financial Services Group, Transamerica, New York Life Insurance and Synchrony Financial, a researhcer at Resilience Cyber Insurance Solutions told Bloomberg.

The researcher declined to name the two insurance companies that were compromised.

Scattered Spider emerged in May 2022 and to date is best known for an attack in September of last year that disrupted casinos in Las Vegas, Atlantic City and elsewhere, disrupting digital room keys, check-in systems, slot machines and card payments at some locations.

Aggressive hackers

The group also late last year attacked crypto firm Coinbase and manufacturer Clorox, leading to a shortage of cleaning supplies on shelves in US stores.

The group’s members, which are believed to include teenagers and young adults in the US, the UK, as well as other western countries and Eastern Europe, often use social engineering techniques to obtain passwords and sensitive information from call centre employees and IT help desk staff.

In conversations with victims the attackers often behave aggressively, impersonating employers and threatening to have the person fired, or threatening physical violence, researchers have said.

Scattered Spider’s activities fell of between December and February before picking up in a renewed and intense bout of activity, according to Resilience and other researchers.

Resilience said the group calls itself Star Fraud and is drawn from a larger criminal group called The Com.

Credential theft

In its latest attacks the group purchased lookalike domains matching the names of targeted companies and created fake login pages designed to steal user credentials.

The login pages are branded as Okta or content-management systems. Okta, a centralised identity and access management company, said it has been “proactively notifying customers when we identify fake log-in pages like these”.

The MGM and Caesars attacks were carried out by targeting the companies’ Okta installations.

In November security researchers said the FBI was aware of the identities of at least a dozen members of Scattered Spider and speculated arrests had not been made because the agency did not have enough staff.

FBI cyber deputy assistant director Brett Leatherman told Reuters last week the agency was “working towards charging individuals where we can with criminal conduct” and that private firms were helping the FBI gather evidence.

‘Burden of proof’

“We have a certain burden of proof we have to meet to conduct law enforcement operations. And we are heading in that direction as quickly as we can,” Leatherman said.

In January the FBI charged 19-year-old Noah Urban from Florida with wire fraud offences. Leatherman said Urban was with the hacking group.

The gang has targeted more than 100 organisations in two years, all with some level of success, Google’s Mandiant security unit said.