Social Engineering Safety Takeaways From MGM Resorts and Caesar’s Entertainment Cyberattacks
On Sept. 11, 2023, a number of MGM resorts and casinos were simultaneously disrupted by ransomware and data extortion attackers, costing the company $100 million, according to AP News. Caesar’s Entertainment was also attacked, which the Wall Street Journal reported resulted in the company paying roughly half of the $30 million demanded.
The resorts and casinos were attacked by the Scattered Spider, aka Roasted 0ktapus, aka Muddled Libra, part of the larger ALPHV ransomware group, BlackCat. No, this is not another “Oceans…[number]” film or animated action hero comic book movie. This is Cybersecurity Awareness 101. Take out your pens and pencils, and let’s get started.
Quick aside: Wondering what is up with the Scattered Spider, Muddle Libra, ALPHV, BlackCat, and other aliases of the hacking group? The main reason these criminal groups have so many names is because Microsoft, Mandiant, Crowdstrike, and other security researchers call them by different names. You can read more about this phenomenon here.
According to the cyberattackers, they initially gained access to the MGM computer networks by misleading the IT help desk personnel into resetting their passwords. They did this by looking up an MGM employee on LinkedIn and then calling the help desk asking for a password reset. The initial attack vector had nothing to do with artificial intelligence; it was a basic social engineering attack over the telephone.
You remember the telephone, right? It’s the thing that you use to send text messages or use apps, but instead of messaging someone, you talk into it. It’s sort of like FaceTiming, but without the face. A few friends recently told me how much they hate, loathe or greatly dislike talking on the phone “these days.” What is so different about talking on the phone “these days” versus “back in the day?”
The difference is that most conversations are text-based “these days,” and talking to a stranger on the phone can spark social anxiety. It feels foreign, uncomfortable or even torture to many people, even if it is part of their job. Ask your kids how they feel about phone conversations. They seem unnecessary to many young people (and some older people who prefer texting.) They think, “Why did they call me?”
I’m not here to pass judgment on this trend, but it is important to train your staff to be competent using the telephone, even if they “don’t like phone calls.” They need to be able to detect social engineering of all forms, not just email phishing scams. Users need to know about phone phishing scams, vishing, and social engineering using text messages, which is known as SMS phishing or smishing.
In order to develop a strong cybersecurity and privacy learning program that keeps your staff vigilant about social engineering scams, The National Institute of Standards and Technology lists five key considerations.
- Develop, maintain, and implement mandatory organization-wide cybersecurity and privacy learning programs (CPLP) for all members of the workforce that support enterprise cybersecurity and privacy goals and objectives.
- Ensure that the CPLP aligns with established rules of behavior and is consistent with applicable policies, standards, and guidelines.
- Apprise the workforce of available cybersecurity and privacy resources, such as products, techniques, or expertise.
- Provide foundational as well as more advanced levels of cybersecurity and privacy training to the workforce and ensure that measures are in place to assess the knowledge and skill of participants.
- Identify who needs specialized cybersecurity and privacy training based on assigned cybersecurity and privacy roles and responsibilities.
As a next step, check out some computer-based security awareness training providers including KnowBe4, Cofense, PhishLabs, SANS, Mimecast and ProofPoint; here is a comparative list from Gartner.
You can also find some free videos on YouTube that you can share with your users today, like this one: