What might seem like a routine helpdesk call to remedy a minor IT support issue may ironically be a ruse that triggers a major cyber crisis. After all, do we really know who’s on the other end of the conversation?
The September 2023 ransomware attack against MGM Resorts in Vegas is a classic example of why it’s imperative that organizations review the dangers of tech-support social engineering scams as part of their overall security awareness and anti-phishing training.
According to multiple reports, members of the threat actor Scattered Spider (an affiliate of the Black Cat ransomware group ALPHV) performed reconnaissance on an MGM employee using LinkedIn and used that information to impersonate that individual in a call to the hospitality company’s helpdesk. By the end of the call, the perpetrators had gained information they needed to take over key accounts, reset MFA credentials and gain super admin privileges. This allowed the attackers to exfiltrate MGM Resorts’ data and encrypt their ESXi hypervisors.
In an SEC filing, MGM Resorts said the incident would cost the company roughly $100 million, after it was forced to shut down systems at multiple hotels – a move that affected slot machines, card payment terminals, reservations and even electronic door locks.
Tech support scams can also work in a reverse scenario, whereby attackers pose as the IT department or helpdesk, calling up a targeted employee and asking them for device access so they can supposedly execute an update or fix a security vulnerability before it’s too late. Meanwhile, they’re actually the ones putting the employee and company in danger.
Another cybercriminal group that gained notoriety through its tech-support scams (among other social engineering techniques) is the Lapsus$ Group, which has racked up victims such as Okta, Nvidia, Samsung, Uber and Ubisoft since emerging onto the scene in December 2021. A July 2023 report from the Cyber Safety Review Board noted that in some cases, the threat actor “impersonated help desk personnel over direct chat messages and encouraged employees to approve… MFA prompts.”
To combat this low-tech, yet effective social engineering technique, some companies have employed an identity verification service capable of weeding out phony support-calls. But even with such a solution, companies should ideally train their everyday employees and IT/helpdesk workers on identifying the signs of a scam – clues like aggressively urgent messaging or suspicious requests for credentials or access.
Employees should also learn of ways to confirm that the IT department is actually contacting them – and vice versa. For instance, if reached via email, they should check to see if the address’ domain name looks legit or suspect. They can also request to reconnect via a predetermined, alternative means of communication before any risky action is taken. For example, an initial SMS, Teams or Slack message could be followed up with an official company email. Yes, these extra steps mean a little more work on everyone’s part, but not as much work as having to painstakingly restore your ransomware-ravaged systems, like MGM Resorts did.
