The scattered spiders are found throughout the media in the wake of a famous attack on British retailers Marks, Spencer and the cooperative, and coverage is now being spread across the mainstream news due to the severity of the hundreds of millions of collapse, as M&S alone has become the loss of hundreds of millions of profits.
This coverage is extremely valuable to the cybersecurity community as it raises awareness of the battle that security teams fight every day. But it also created a lot of noise that can make the big picture difficult to understand.
The story of the recent campaign headlines against UK retailers is the use of help desk scams. This usually involves an attacker calling the company’s help desk with some information. At the very least, PII, which impersonates the victim and sometimes allows passwords, tricks help desk operators into accessing user accounts.
Help Desk Scam 101
The goal of helpdesk scams is to have the helpdesk operator reset their credentials and/or MFA to allow attackers to control it, which is used to access their accounts. They use a variety of backstories and tactics to get it done, but most of the time it’s as easy as saying, “I have a new phone so could you delete the existing MFA and allow me to register a new MFA?”
From there, the attacker sends an MFA reset link via email or SMS. Usually this is sent to the file number, for example, but at this point the attacker has already established trust and bypassed the help desk process to some extent. So, send this directly to the attacker: “Can I send it to this email address?” or “Did you actually get a new number as well, can I send it?”
At this point, it’s simply when you use the self-service password reset feature on OKTA or ENTRA (this can be avoided as there is an MFA factor to validate yourself), and Finishedthe attacker managed the account.
And the best part? Most help desks have the same process for all accounts. It doesn’t matter who you are impersonating or which account you are trying to reset. Therefore, attackers are targeting accounts that are likely to have top-notch admin privileges. In other words, moving forward with an attack is trivial, with many of the typical privilege escalations and lateral movements being removed from the attack path.
Therefore, helpdesk scams have proven to be a reliable way to bypass MFA and achieve account acquisitions. This is a foothold to launch the rest of the attacks, such as data stealing, ransomware deployment.
Don’t be fooled – this is not a new development
But what we have not come across at all in the report is that scattered spiders have been doing this successfully since 2022. Vishing (also calling on users to abandon their MFA code) has been part of the toolkit from the start, with early attacks on Coinbase, including some form of voice-based social engineering against Twilio, LastPass, Riot Games, and Coinbase.
In particular, all high-profile attacks on Caesar, MGM Resort and London transport all called the help desk to reset their credentials as initial access vectors.
- Caesars In August 2023, after a hacker impersonated an IT user and persuaded the outsourcing help desk to reset their credentials, the attacker stole the customer loyalty program database and secured a $15 million ransom payment.
- MGM Resort In September 2023, hackers used LinkedIn information to reset employee credentials by impersonating an employee, resulting in 6TB of data theft. After MGM refused to pay, the attack ultimately resolved the class lawsuit with a 36-hour halt, a $100 million hit, and a $45 million dollar.
- Transport in London In September 2024, bank details for 5,000 users were made public, with 30,000 staff members attending individual reservations to verify their passwords, causing significant disruption to online services that last for months.
Therefore, not only have scattered spiders (and other threat groups) used these techniques for a while, but the severity and impact of these attacks has increased.
Avoid the help desk’s gotchas
There is plenty of advice to secure a help desk, but many of the advice still results in processes that are fishable or difficult to implement.
Ultimately, organizations must prepare to introduce friction into their help desk processes, delaying or denying requests in situations where there is a significant risk. So, for example, you have the MFA reset process that recognizes the risks associated with resetting a highly sovereign account:
- Administrator-level account reset requires multi-party approval/escalation
- If the process cannot be followed remotely, direct verification is required
- Self-service freeze reset if encounters suspicious behavior (this will require some internal process and awareness training to raise the alarm if an attack is suspected)
And beware of these goccas:
- If you receive a call, you can end the call and dial the number in the employee’s file. But in the world of Sim Swapping, this is not the perfect solution. It simply re-dializes the attacker.
- If the solution is to put employees on camera, an increasingly sophisticated deepfake can block this approach.
However, help desks are targets for reasons. They are essentially “helpful.” This is usually reflected in how they behave and measure performance. Delays don’t help you hit those SLAs. Ultimately, the process only works if the employee is willing to adhere to it, and cannot be socially designed to break it. Help desks removed from daily work (especially outsourcing or offshore) are also susceptible to attacks where employees are impersonated.
However, the attacks we are experiencing at this point should give security stakeholders a lot of ammunition about why help desk reform is essential to securing business (and what happens if you don’t make any changes).
Compare help desk scams with other approaches
A step back, it’s worth considering how helpdesk scams fit into the broader toolkit of tactics, techniques and procedures (TTP) used by threat actors such as scattered spiders.
Scattered spiders first appeared in 2022, relying heavily on identity-based TTP, following a reproducible path of bypassing MFA, achieving account acquisitions with privileged accounts, stealing data from cloud services, and deploying ransomware deployment (mainly in VMware environments).
- Eligibility phishing via email and SMS (smishing) harvests passwords
- Bypass SMS-based MFA using SIM swapping (transfers numbers to an attacker-controlled SIM card to carrier)
- Bypass app-based push authentication using MFA fatigue (aka push bombing)
- Use vishing (i.e., calling directly the victim of a social engineer in MFA code, as opposed to a help desk attack)
- Social Engineering Domain Registrar controls the DNS of the target organization, hijacks MX records and inbound emails, and uses this to take over the company’s business app environment
- And later, steal live user sessions and bypass all common forms of MFA using evil aitm phishing kits to steal evil user sessions (except webauthn/fido2)
 |
| A scattered spider phishing page running Evilginx. Source: SilentPush Researcher |
So, helpdesk scams are an important part of the toolkit, but not the big picture. Methods like AITM, in particular, have become increasingly popular this year as a reliable and scalable way to bypass MFA and achieve account acquisitions, with attackers using these toolkits as de facto standards, becoming creative with detection methods, and sometimes explicitly avoiding standard delivery vectors like emails, ensuring the success of glasses campaigns.
In this on-demand webinar from Push Security, explain in detail how modern phishing kits circumvent detection controls.
Scattered spiders consciously circumvent established security controls
So there’s more to the scattered spider toolkit than the help desk scam. In fact, their approaches can be broadly categorized. Consciously avoid established control At endpoints and network layers By targeting identity.
From account takeover, we also follow repeatable patterns.
- Harvest and removal data from cloud and SaaS services, where monitoring is typically less consistent than traditional on-premises environments, often blends in with normal activity. Many organizations just don’t have the logs or visibility to detect malicious activity in the cloud anyway, and scattered spiders have also been seen tampering with cloud logs (e.g. filtering high-risk AWS cloud trailer log filtering, but not disabling them completely to avoid increasing suspicion).
- Targets VMware environments for ransomware deployment. Do this by adding compromised user accounts to vcentre’s VMware Admins group (by default, if necessary): From here, you can access your VMware environment through the ESXi hypervisor layer where security software is not present.
Is it an important theme? Avoid established security controls.
Conclusion
Scattered spiders can be thought of as a kind of “MFA Post” threat actor who does everything they can to bypass established security controls. Bypassing endpoints and network surfaces as much as possible by targeting identity and account acquisitions, and bypassing them to the end of the attack chain. At that point it’s almost too late to rely on those controls.
Therefore, don’t overdo the help desk scam index. You need to consider a wider identity attack surface and a variety of intrusion methods that provide backdoors to apps and accounts with MFA gaps, as well as accounts that are accessed by SSO to attackers.
Protect your organization from scattered spider TTPS (not just help desk scams)
For more information about the scattered Spider Identity First Toolkit, which is adopted as a standard for each threat group, check out Push Security’s latest webinar.
Learn how push security stops identity attacks
Push Security provides comprehensive identity attack detection and response capabilities for techniques such as AITM phishing using stolen session tokens, entitlement packing, password spraying, and session hijacking. You can also use Push to find and fix identity vulnerabilities in all apps used by employees. SSO coverage gap. MFA gap; passwords are weak, compromised and reused. Dangerous OAuth integration; More.
If you’d like to learn more about how Cush can help you detect and beat Common Identity Attack Techniques, book one of your teams and time for a live demo.
