In the last few months, cyber criminals have released their wrath on the global retail sector. Brands have fallen to their knees, suffering unimaginable losses, while catapulting the cyber threat into the public domain. Consumers are no longer immune to the impacts of cyber crime, only loosely understanding their consequences through incomprehensible statistics or fear inducing headlines. They are feeling their effects on a personal level, writes Simon Phillips, CTO of Engineering at the cyber firm CybaVerse.
Stock in major retail brands has run low. Online purchases have been paused. While numerous individuals have had their personal data compromised by attackers. These outcomes have highlighted that no one is immune to the threat posed by digitally-savvy malicious adversaries. This recent spate of attacks has been attributed to a notorious hacking collective, dubbed Scattered Spider.
While often referred to as a cyber crime “group,” Scattered Spider operates more as a fluid network of individuals utilising common tactics, techniques and procedures, in particular social engineer-ing, to compromise targets. In most attacks, Scattered Spider’s operators impersonate employees, often IT support staff or executives, after identifying targets on LinkedIn or other public platforms. They then exploit weak-nesses in identity verification procedures, calling IT help desks and requesting password resets. Once access is obtained, threat actors move swiftly, deploying ransomware-as-a-service (RaaS) tools, encrypting systems, stealing data and shattering operations.
While the retail industry continues to suffer in the aftermath of this deluge of attacks, new data shows that the hacking collective has switched its target, with the insurance and airline industries now featuring at the top of the hit list. Given this actor’s history of focusing on a sector at a time, this suggests the insurance and airline industries should be on high alert. So, what can we learn from previous attacks executed by Scattered Spider to help organisations prepare for attacks?
Techniques of Scattered Spider
In the recent spate of retail attacks, initial access to systems was granted after an employee was tricked into performing a password re-set for a compromised identity. From there, attackers exploited internal systems, disrupted operations and caused unimaginable damage.
Despite the success of these techniques, they aren’t new. Scattered Spider has been applying them for years. They are identical to the methods used in the 2023 cyber attack against MGM Resorts, which was also attributed to Scattered Spider. This highlights that even after the huge headline-grabbing cyber attack against one of the world’s largest casinos, we still didn’t learn our lesson. Let’s hope we do this time. However, to achieve improved resilience against Scattered Spider, it is essential organisations take steps to improve their password reset policies.
The power of the password
Passwords are often viewed as a nuisance, an inconvenient way to access systems. It’s only when massive breaches unfold that people begin to understand the true power of the password. In the wrong hands, a password is a key that unlocks an entire organisation and everything it deems important. It grants criminals unmonitored access into confidential systems for them to snoop on data, steal confidential assets or lock up systems using ransomware.
To combat this, organisations must take password security more seriously, not just in terms of the passwords themselves, but in the processes that surround them. Reset processes must include multi-stage verification. No single employee should be able to reset credentials without clearly validating the identity of the requester. While Multi-Factor Authentication (MFA) is now widely recommended, even MFA can be bypassed, particularly when legacy forms like SMS-based codes or push notifications are used. Many of the tactics employed by Scattered Spider are designed specifically to exploit MFA fatigue and social engineering blind spots. This is where modern, phishing-resistant approaches like Fast IDentity Online (FIDO) come into play.
FIDO is a global authentication standard that eliminates the reliance on shared secrets by using public key cryptography. When a user authenticates with FIDO, a private key stored securely on their device proves their identity, but that key is never shared or transmitted. The corresponding public key is stored by the service provider, meaning there’s nothing for attackers to steal, intercept or trick out of an employee.
FIDO-based systems are inherently resistant to phishing, session hijacking and credential stuffing attacks. They also simplify the login process, often using biometrics or hardware security keys that are both faster and more secure than traditional passwords. By adopting FIDO, organisations dramatically reduce the risk of compromise via social engineering.
Organisations must learn from the recent attacks on retailers and understand that once Scattered Spider moves on from aviation and insurance, it could be their sector next.
It’s time to move beyond passwords, implement rigorous access control processes and adopt authentication standards that reflect the realities of today’s threat landscape. It’s time to stop admiring the password problem. Let’s fix it.
