On the eve of high-profile attacks on Marks Marks & Spencer and Spencer and co-op, the scattered spider, the spider was in all media, and the lighting shimmers into the main news due to the severity of the violations caused by the hundreds of millions of lost income only for M & S.
This coverage is extremely valuable to the cybersecurity community as it increases the awareness of the fighting with which security groups are fighting every day. But it also created a lot of noise that can make it difficult to understand a big picture.
The main story of a recent company against retailers of the UK is the use of fraudsters. Usually, this involves an attacker who calls a company with some level of information-like a minimum, a PII, which allows them to betray themselves for the victim, and sometimes the password, greatly based on their native English-speaking abilities to deceive the help operator to give them access to the user’s account.
Help the scam 101
The purpose of the scam of the help is to force the help operator to reset the credentials and/or the Foreign Ministry used to access the account so that the attacker can take control. They will use different stories and tactics to do this, but most of the time it’s as easy as saying, “I have a new phone, can you take off my existing Foreign Ministry and allow me to record a new one?”
From there, the attacker sent a link to MFA reset by email or SMS. Usually this will be sent, for example, to the number that is – but at this point the attacker has already set confidence and to some extent bypassed the certificate. So, asking, “Can you send it to this email address” or “I also have a new number, you can send it …”, it goes directly to the attacker.
At this point, this is just a case of using a self -service password reset function for OKTA or Entra (which you can bypass because you now have a MFA factor to check yourself) and voilaThe attacker took control of the account.
And the best part? Most auxiliary tables have the same process for each account – it doesn’t matter who you present yourself or which account you are trying to reset. Thus, the attackers specifically focus on accounts that may have high-level administrator privileges-it means when they enter, the progression of the attack is trivial, and most of the typical escalation of privileges and lateral motion is removed from the attack.
Thus, the help scams were a reliable way of bypassing the Foreign Ministry and achieving the accounting of the account – the consolidation, from which it is possible to run the rest of the attack, such as theft of data, deployment of redemption, etc.
Don’t be fooled – it’s not new development
But what does not quite happen in the reporting is that the scattered spider has been successfully since 2022, and M&S and cooperative attacks are only on the top of the iceberg. Vishing (calling the user to make them abandon the MFA code) was part of their tools from the beginning, with early attacks on TWILio, Lastpass, Riot Games and Coinbase featuring some form of voice social engineering.
In particular, high -profile attacks on Caesars, MGM Resorts and Transport for London everyone participated in calling the help service to reset powers as a vector of initial access.
- Caesar In August 2023, where the hackers made an IT user and convinced the outsources of the certificate to reset the credentials, after which the attacker stole customer loyalty database and provided $ 15 million.
- MGM resorts In September 2023, when the hacker used LinkedIn information to get himself for the employee and reset the employee’s powers, causing the data theft 6 TV. After MGM refused to pay, the attack resulting in a 36-hour shutdown, a $ 100 million hit and a $ 45 million trial in the class.
- Transportation for London In September 2024, 5,000 users, 30,000 employees to attend personal meetings to check their faces and drop passwords, as well as significant violations in Internet services that lasts for months.
Thus, not only the scattered spider (and other threats) have been using these methods for some time, but the severity and impact of these attacks are increasing.
Avoiding reference
There is a lot of tips to provide assistance, but most of the tips are still leading to a process that is either fisher or difficult in implementation.
The organization must ultimately be prepared to make friction with your certificate and either delay, or deny requests in situations where there is a significant risk. For example, the presence of a MFA reset process that recognizes the risk associated with a high -profile account reset:
- Require multiparty approval/escalation to destroy the administrator account
- Require a personal check if the process cannot be followed remotely
- If you occur suspicious behavior (this will require some internal processes and learning to raise the alarm if suspected of attack)
And keep track of these Gotchas:
- If you get a call, good practice – stop the call and dial the number in the employee file. But, in the world of SIM replacement, this is not a stupid solution-you can just rethink the attacker.
- If your decision is to force the camera employee, more complex Deepfakes can disrupt this approach.
But, help help is a goal. They are “useful” by nature. Usually this is reflected in how they act and measure performance – delays will not help you hit these Slas! Ultimately, the process works only if employees are willing to follow it – and cannot be socially designed to break it. Assistance, which is removed from everyday operations (especially when outsourcing or coloring) are also inherently sensitive to attacks where employees act.
But, the attacks we feel at the moment must give the stakeholders a lot of ammunition, why the reforms on the table are vital to ensure the business (and what can happen if you have not made changes).
Comparing the scammers with other approaches
By taking a step back, you should think about how the help scams fit into a wider set of tools, methods and procedures (TTPS) used by actors as a scattered spider.
The scattered spider largely relied on the TTPS on the basis of identity, as they first appeared in 2022, going through the repetition path of the Foreign Ministry, reaching the absorption of accounts for privileged accounts, theft from cloud services and deployment of redemptions (mainly in the VMWare).
- Account Physhing by email and SMS (SMISHING) for password harvesting massively
- Using SIM-Support (where you force the carrier to transfer the number to the SIM card, controlled by the attacker) to bypass the SMS Foreign Affairs
- With the help of Foreign Affairs Fatigue (he
- Use Vilining (ie directly calling the victim to the social engineer their MFA code, as opposed to the attack on the certificate)
- Social Engineering Domains registrars to take control of the DNS target organization, stealing their MX and input, and using it to take over the company’s business adjusts
- And on, using MFA-BYPASS AITM PHISHING SOLTS SUPPOSED VILLIGNX To steal the live users sessions bypassing all common Foreign Affairs (except Webauthn/Fido2)
 |
| A spider scattered phisching -pages that work with evil. Source: Researchers in Silence |
Thus, the help scams are an important part of their tools, but this is not the whole picture. Methods such as AITM, in particular, perceive the popularity this year as a reliable and scalable way of bypassing the Ministry of Foreign Affairs and achieving accounts, and attackers use these tools as an actual standard, refer to creativity in ways of evading, and in some cases, evading the standard vectors.
Scattered spider deliberately shy away from the established security control
So, there is a more scattered spider set than just the scams. In fact, their approach may be widely classified as deliberately shying away from the installed control elements In the final paragraph and the network layer by orientation to identity.
In terms of account absorption, they also perform repetitive samples:
- Collecting and operating data from Cloud and Saas, where monitoring is usually less consistent than traditional conditional environments, and excritation is often combined with normal activity. Many organizations simply have no magazines and visibility to detect malicious activity in the cloud, and the scattered spider was also noticed by the forgery of cloud magazines (for example, filtering risky Aws Cloudtrail magazines, but not turning off completely so as not to increase the suspicion).
- Signing on the VMware environment for deployment of redemptions. They do this by adding them a compromised user account to VMware Admins Group in Vcentre (if necessary, they are gathering for the higher level accounts). From here, they can access the VMware environment through the ESXI Hypervisor layer where the security software is missing – thus bypassing EDR and other typical controls, based on the host, it counts on to prevent buying.
The main topic? Handling the security control.
Conclusion
You can think of a scattered spider as a kind of “Post-Mfa” threatening actor, which does everything you can to avoid set security control. Entiting the identity and absorption of accounts, they aside the final point and network surfaces, until the end of the attack chain – it is still almost too late to rely on these controls.
Thus, do not exceed the indexes on the scam of the help-you need to consider your wider surface of the identity attack and various methods of invasion, from applications and accounts with MFA spaces, local accounts that give the rear records to the account that otherwise receive access to SSO, and MFA-BYPASSSHING kITS Attacks.
Protect your organization from scattered spider TTPS (not just help on the scam table)
To find out more about a scattered spider identity tool that is increasingly accepted as standard threats, Check out the last webbiner from the PUS Security-TAPS AVAILABLE!
Learn how security presses the person’s attack
The Push Security provides a comprehensive identity attack and response to methods such as AITM phishing, accounting, spraying passwords and a session hijacking using stolen tokens. You can also use the press to find and correct the identity vulnerability in each application used by your employees, such as: Ghost Logins; Gaps in the SSO cover; MFA spaces; weak, disturbed and re -used passwords; Risky Oauth integration; And more.
If you want to know more about how the push will help you identify and defeat your General Identity Attack Methods Back some time with one of our teams for live demonstration.
