MGM casino

Spear Phishing on Social Media: What Can We Learn from MGM Most Recent Cyberattack

In a cyberattack that occurred in September, MGM Resorts has admitted that hackers obtained an undisclosed quantity of personal data from its patrons. The projected damages to the massive hotel and casino chain are $100 million.

On September 11, the massive hotel and casino chain initially revealed that it had been the victim of a significant cyberattack. The cyberattack caused considerable disruption throughout MGM’s locations, taking down the business website and online booking systems, stopping ATMs and slot machines, and other disruptions that were later claimed by hackers from the ALPHV subgroup Scattered Spider.

The business acknowledged that the hackers who carried out the assault were able to get some personal data belonging to clients who did business with MGM Resorts before March 2019 in a regulatory filing on Thursday. Names, phone numbers, gender, birth dates, and driver’s license numbers are all included in this. According to the organization, hackers were also able to get passport data and Social Security numbers for a restricted group of clients.

Cybercriminals Modus Operandi

Cybercriminals changed their ransomware tactics in the middle of the decade. Rather than bombarding numerous individuals with ransomware, cybercriminals shifted their focus to targeting major institutions such as hospitals, governments, hotel chains, and pipeline corporations. These are the kind of victims that have the financial means to spend millions of dollars, not just hundreds, to restore control over their computer systems. They could generate a lot more revenue while dispersing a lot less virus if they pursued these valuable targets. It was just a matter of time until Vegas became the target of cybercriminals. Caesars and MGM Resorts were also the targets of a ransomware assault earlier this autumn.


While it may seem obvious that cybercriminals would target casinos in Las Vegas, the Financial Times reports that the hackers’ initial scheme was rather intricate: they intended to break into the MGM casinos’ slot machines in order to manipulate the results, after which they would hire individuals to visit the establishments and use the compromised machines to win money. In a Telegram discussion with one of the hackers, the Times learned that the slot machine software was, as it turned out, not as easily manipulable. After failing to rig the slots, the hackers had no choice but to go to their backup strategy: they would take all the casino’s data, encrypt it, and demand a ransom to unlock it and give it back to MGM. Below, we will explain how this hacking was done.


Scattered Spider


Despite the culprits’ ambitious plans to manipulate slot machines, the MGM hack itself was not very complex or uncommon. The hackers allegedly used LinkedIn to get the personal details of an MGM employee. They then phoned the IT help desk and claimed to be that employee in order to reset the employee’s account credentials. The hackers claiming responsibility for the assault, a group known as “Scattered Spider,” have previously penetrated businesses through phone calls using similar social engineering techniques (often referred to as “vishing,” short for “voice-call phishing”).


Scattered Spider focuses on social engineering, a tactic whereby attackers assume the identity of individuals or groups with whom the target has a relationship in order to trick the victim into doing specific tasks. The hackers are reportedly particularly skilled at “vishing,” which is the process of accessing networks using a convincing phone conversation as opposed to phishing, which uses an email.

The company had taken MGM’s data, encrypted it, and is now requesting money in cryptocurrency to decrypt it. This was a fallback strategy; the spokesperson stated that the gang had originally intended to hack the company’s gambling machines but was unsuccessful.


The Importance of Social Media Security Awareness

Social media platforms are a major part of our daily lives. People use it to share their daily activities, thoughts, and pictures. It is also widely used by companies to promote their products, connect with customers, and even hire new talent. However, social media platforms can also be a goldmine for hackers looking to gain access to sensitive information. One such method that hackers can use is spear phishing, a targeted attack aimed at a specific individual or organization. In this article, we will explore how hackers can use Facebook and other social media CEO’s profiles to spear phish them.


Spear phishing attacks are highly targeted and customized attacks that aim to trick the victim into revealing sensitive information or clicking on a malicious link. In this type of attack, hackers research their target, often through social media platforms, to gather as much information as possible. When it comes to CEO’s, social media profiles can provide a wealth of information that hackers can use to craft their attacks.


Facebook, Twitter, LinkedIn (as happened with MGM), and other social media platforms are treasure troves of personal information that hackers can use. CEO’s often use these platforms to post about their business activities, share their personal interests, and even provide information about their family members. Hackers can use this information to craft a spear phishing email that appears customized and convincing.


For instance, a hacker may send an email to a CEO with the subject line, “Invitation to participate in a prestigious business conference.” The email may contain a “personal” note that mentions the CEO’s recent post about family vacation or personal interests. This type of customized email creates a sense of familiarity and trust, which can convince the CEO to click on a malicious link or provide sensitive information.


Moreover, social media platforms can also provide information on the CEO’s circle of friends and business associates, which can be used to extend the attack beyond the CEO. By targeting other individuals close to the CEO, hackers can gain access to more sensitive information or even hold the CEO’s network hostage.


To prevent these types of attacks, CEOs and their employees must practice social media hygiene. This includes limiting the amount of personal information shared on social media, maintaining strong privacy settings, and regularly reviewing their social media presence for suspicious activities. It is also essential to provide regular cyber awareness training to employees on the latest spear phishing techniques and social engineering methods.


In conclusion, social media platforms are fertile ground for hackers looking to gain access to sensitive information through spear phishing tactics. CEO’s should be cautious of what they post on social media, maintain privacy settings, keep their personal information safe and provide regular cyber awareness training to all employees. This will go a long way in ensuring that the company remains secure from cyber threats and provides the best possible environment for employees to work in.


What then can you do to safeguard yourself?


The same basic guidelines about being careful what information you disclose and with whom apply when it comes to attempts to vish you individually. Don’t share your passwords or login information with anybody, and exercise caution with any publicly accessible information you may have because it might be used against you in an identity theft scheme. Before you interact with someone, be sure they are who they say they are. For further security, utilize multi-factor authentication with each of your accounts. This will prevent someone who gains access to one account from being able to access the others.


In this instance, though, consumers are at a loss for recourse because many companies they entrusted with their data lack the necessary safeguards in place. However, they can take a few steps after the event to reduce any potential harm. You might not want to rely only on a corporation that didn’t safeguard your data in the first place, even though MGM claims it is notifying consumers whose data was taken and providing them with free identity protection and credit monitoring.