The dangers of phishing and its impact on MGM
MGM was the recent target of a focused phishing attack by a prominent ransomware gang known for effective social engineering tactics. The breach allowed the gang to shut down several internet-facing systems and limit client services, like access to games, ATMS, and websites.
The attack has drawn significant attention given its characteristics and scope. While ransomware and cyber-attacks are a constant challenge for enterprises everywhere, a high-profile name like MGM has made headlines in the post-attack environment.
Characteristics of ransomware attacks are often layered steps where the hacker gang in question penetrates a network and collects administrative data for weeks, sometimes months. In concept, they’re considered high-tech and clandestine given the repercussions of a successful breach. But this particular attack scenario is unique in that the ransomware gang relied on simple methods to collect data, even taking advantage of typical workflow solutions to achieve success.
How simple? For MGM, phone calls and tech support messages. This ransomware gang, “Scattered Spider,” has a well-established reputation for social engineering schema using techniques like phone calls (or similar) to circumvent cyber and IT defenses. We mentioned the ransomware gang took advantage of MGM’s workflow by using standard, expected questions to extract information. For example, a caller might ask about lost information and preface it with details like a customer that has been busy or traveling. Because a support desk assistant aims to resolve these problems quickly, they’re not considering the idea that the caller(s) are potential hackers, much less a prolific ransomware gang.
In those vital moments, attackers can gain valuable information, from company login details to customer data.
What makes Scattered Spider additionally dangerous is their lack of established internet presence. Ransomware gangs are known for flaunting their breaches and reputation, or at least, gaining enough infamy among security experts and federal agencies.
From simple phishing to breach
The MGM breach event is another dreadful reminder of how effective phishing and social engineering techniques still are. But more so, how even “low tech” methods are brutal in their practicality, allowing ransomware gangs to compromise massive entertainment industries like MGM.
Phishing schemes have the same goal: to compromise logins and steal valuable information. But these days, the consequence of losing a password is far more disastrous. With a single login, nefarious actors can gain lateral access to networks of any type. With administrative privileges, they can spy, infect, and monitor compromised networks. Some use this information to launch large-scale ransomware attacks in the future, others collect personal data and sell it to other threat actors who then launch their phishing campaigns.
We see that example in action with the MGM breach. Details are not available for the full impact of the breach. While federal agencies, PR teams, and clients understand services were rendered unusable for some time, the true extent of the damage is not known. However, given the nature of phishing attacks and their associated consequences, it’s a guarantee the impact is severe.
After breaches, hackers have access to critical login information and personal details. Given the scope of MGM and its associated casinos/entertainment districts, it’s a perfect foundation for larger, wide-scale ransomware campaigns.
Anatomy of a phishing attack
Modern phishing follows a pattern, using modern technology and internet-facing resources for maximum effectiveness. Hackers will purchase or gather compromised (or potentially compromised) emails, logins, and contact data. This contact information is combined with phishing and social engineering messages, designed to dupe the recipient(s).
Once recipients give out information, like login info, attackers gain lateral access into a network. As mentioned, this allows them to harvest useful data. It can range from PII (personally identifiable information) to administrative privileges. Some hackers leverage that and use ransomware to demand payment from a target. Others will use it to develop hacking campaigns and target more people, like those with stolen PII.
It’s brutal and efficient and only requires one minor error at the human level to prove effective.
In the case of MGM, it was enough to impact several casinos and various IT operations.
As for what MGM intends to do in its analysis in a post-breach environment, that remains to be seen as further details are released. However, this attack should remind any enterprise or organization with internet-facing capabilities that one, they can be targeted and two, even simple phishing attacks prove dangerous.
Organizations could consider backup and security resources to mitigate the damage caused by phishing attacks. They should also consider third-party assistance and resources for additional help.