Morning!

If you didn’t know, MGM Resorts and Casinos has been under cyber attack for the past few weeks. Let’s talk about it..

What Went Down

On September 11th, MGM Resorts International, a hospitality and entertainment giant, declared a "cybersecurity issue." But this was no ordinary glitch; it was a full-scale cyberattack that crippled MGM's operations for days.

Guests found themselves in extremely long check-in lines. With systems down they had to find a hotel employee to physically key them in every time they left their hotel room. Even food, beverage, ATMs and free play credits were off the table.

Who Did It?

The culprits go by the name "Scattered Spider". These hackers, believed to be young and western-based, specialize in social engineering. They are exceptionally skilled at vishing (voice phishing), which involves manipulating victims over the phone, often impersonating someone they trust.

Another group called ALPHV, or BlackCat, played a role in this attack, providing ransomware-as-a-service. While these groups may not have the fame of movie heist experts like Ocean's Eleven, their real-world impact is undeniable.

How MGM got GOT

Now check this out: Scattered Spider's entry point to MGM's systems was a simple 10 minute phone call. They impersonated an employee after finding their information on LinkedIn. In a matter of minutes, they convinced MGM's IT help desk to provide the credentials needed to wreak havoc.

The attack on MGM highlights the underestimated power of social engineering, a technique that targets the weakest link in the cybersecurity chain—people. Scattered Spider exploited publicly available information and persuasive phone skills to breach MGM's defenses.

The Dangers of Social Engineering

More than 90% of cyberattacks begin with phishing, a tactic often bolstered by social engineering. Ransomware attacks, like the one on MGM, are no longer unusual; they've disrupted industries worldwide. But vishing, which involves human interaction, remains a potent, yet overlooked threat.

Successful vishing attacks rely on knowing enough about a target to pull off an impersonation convincingly. Attackers exploit publicly available data, like LinkedIn or Facebook profiles to gather intelligence. Organizations with lax verification processes become prime targets. Often, companies prioritize training against email-based threats like phishing but overlook vishing.

The Cost of Cyberattacks

The price of cyberattacks extends beyond the immediate disruption. MGM Resorts International faced immense operational challenges, and its customers felt the brunt of the attack. So the impact isn't just financial; it erodes trust, disrupts lives, and underscores the pressing need for robust cybersecurity measures.

Wrapping Up

As we wrap up this edition of "Don't Get Got", the MGM cyberattack reminds us that cybersecurity isn't just about firewalls and encryption, it's about understanding the human element. Social engineering tactics like vishing are powerful and can compromise even the most fortified defenses.

Be careful with the information you share online, use strong, unique passwords, and enable multi-factor authentication. Verify identities before sharing sensitive information and be cautious about unsolicited communications. We’ll never fully eliminate cyber threats, but by staying informed, we can minimize their impact.

Verify & Don't Get Got 

P.S. Your experiences matter. If you've encountered a scam or have insights to share, we invite you to connect with us. Let's build a community that stands against cyber threats.