In recent times, the cybercriminal group known as Scattered Spider has orchestrated sophisticated attacks on prominent UK retailers, including Marks & Spencer and Co-op. These incidents have not only disrupted operations but have also led to substantial financial losses, with Marks & Spencer reportedly facing hundreds of millions in lost profits. The group’s modus operandi primarily involves exploiting help desk vulnerabilities through advanced social engineering tactics.
Understanding Help Desk Scams
Help desk scams are a form of social engineering where attackers impersonate legitimate users to manipulate help desk personnel into granting unauthorized access to user accounts. The typical objective is to convince the help desk to reset account credentials or multi-factor authentication (MFA) settings, thereby enabling the attacker to assume control over the account.
Attackers often initiate these scams by contacting the help desk with partial personal information, such as personally identifiable information (PII) or existing passwords, to establish credibility. Leveraging their proficiency in English, they craft convincing narratives to persuade help desk operators to reset credentials or MFA settings. Common ploys include claiming to have a new phone and requesting the removal of existing MFA to enroll a new device.
Once trust is established, the attacker may request that the MFA reset link be sent to an alternative email address or phone number under their control. With access to the MFA reset link, the attacker can utilize self-service password reset functionalities in platforms like Okta or Microsoft Entra to gain full control over the account. This method is particularly effective because help desks often follow uniform procedures for all accounts, regardless of the user’s role or access level. Consequently, attackers frequently target accounts with elevated privileges, facilitating rapid progression of their malicious activities without the need for traditional privilege escalation or lateral movement techniques.
Historical Context and Evolution
While recent attacks have brought help desk scams into the spotlight, Scattered Spider has been employing these tactics since at least 2022. Early attacks on organizations such as Twilio, LastPass, Riot Games, and Coinbase involved voice-based social engineering, commonly referred to as vishing, to deceive users into divulging MFA codes.
Notably, high-profile attacks on Caesars Entertainment and MGM Resorts in 2023 also utilized help desk scams as the initial access vector. In the Caesars incident, attackers impersonated IT personnel and convinced an outsourced help desk to reset credentials, leading to the theft of the customer loyalty program database and a subsequent $15 million ransom payment. Similarly, the MGM Resorts attack involved the use of LinkedIn information to impersonate an employee and reset their credentials, resulting in the exfiltration of 6 terabytes of data.
Defensive Strategies Against Help Desk Scams
To mitigate the risk of help desk scams, organizations should implement a multi-faceted approach that includes:
1. Enhanced Verification Protocols: Establish stringent verification processes for help desk interactions, such as requiring multiple forms of authentication before processing sensitive requests.
2. Employee Training: Conduct regular training sessions to educate help desk staff and employees about social engineering tactics and the importance of adhering to verification procedures.
3. Monitoring and Auditing: Implement continuous monitoring of help desk activities and conduct periodic audits to detect and respond to suspicious requests promptly.
4. Access Controls: Limit the number of personnel authorized to perform credential resets and enforce the principle of least privilege to minimize potential attack vectors.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift and effective action in the event of a security breach.
By adopting these strategies, organizations can bolster their defenses against help desk scams and reduce the likelihood of successful attacks by groups like Scattered Spider.
