Chaotic and Cinematic MGM casino hack : Described as a tumultuous and cinematic MGM casino rip-off
Did the renowned casino chain MGM Resorts wager with customer information? A week after a cyberattack brought down a majority of MGM’s systems, many of these customers are likely asking themselves this question. And if reports citing the hackers themselves are to be believed, it may have all begun with a telephone call.
Table of Contents
How Chaotic and Cinematic MGM casino hack
MGM, which owns more than two dozen hotel and casino properties around the world and an online sports wagering division, reported on September 11 that a “cybersecurity issue” was affecting some of its systems, which it shut down to “protect our systems and data.” Several days later, it was reported that everything from hotel room digital keys to gambling machines was inoperable. Even websites for its numerous properties were temporarily unavailable.
Guests were forced to wait in hours-long lines to check in and receive tangible room keys, as well as receive handwritten receipts for casino winnings, as the company switched to manual mode to remain operational. MGM Resorts did not respond to a request for comment and has only posted vague references to a “cybersecurity issue” on Twitter/X, assuring guests that the company was working to rectify the issue and that its resorts would remain open.
Massive casino chains that generate tens of millions of dollars per day, for example, are susceptible to cyberattacks if the criminal employs the appropriate attack vector, as demonstrated by the attacks. And this is almost always the case with humans and human nature. In this instance, it appears that publicly available information and a convincing phone manner were sufficient for the hackers to gain access to MGM’s systems and cause what is likely to be a very costly mess that will negatively impact the resort chain and many of its guests.
Spiders and Cats are claiming Chaotic and Cinematic MGM casino hack
It is believed that a group known as Scattered Spider was responsible for the MGM intrusion, and that it employed ransomware created by ALPHV or BlackCat, a ransomware-as-a-service operation. Scattered Spider specializes in social engineering, in which attackers manipulate victims into undertaking specific actions by impersonating individuals with whom the victim has a relationship. According to reports, the hackers are particularly adept at “vishing,” or obtaining access to systems via a convincing phone call as opposed to phishing, which is conducted via email.
Members of Scattered Spider are believed to be in their late teens and early twenties, based in Europe and possibly the United States, and fluent in English, which makes their vishing attempts significantly more convincing than, for example, a contact from someone with a Russian accent and limited English proficiency. In this instance, it appears that hackers obtained an employee’s information from LinkedIn and impersonated them in a call to MGM’s IT help center in order to obtain access credentials and infect the systems.
According to a subsequent Bloomberg report citing an executive from the cybersecurity company Okta, the support desk was also the target of a successful social engineering attack. Okta is a client of MGM, and the company has been assisting MGM following the attack, according to the report.
Someone purporting to be a representative of Scattered Spider told the Financial Times that the organization stole and encrypted MGM’s data and is demanding payment in cryptocurrency to decrypt it. The group initially intended to infiltrate the company’s slot machines but was unable to do so, according to the representative.
If you believe that we are in the midst of a remake of Ocean’s 13, you should be aware that this may not be the case. ALPHV/BlackCat refutes portions of these allegations, most notably the attempt to hack slot machines. The group posted a message on September 14 claiming responsibility for the attack but denying that adolescents in the United States and Europe were responsible or that anyone attempted to tamper with slot machines.
It also criticized what it deemed to be inaccurate reportage on the breach and stated that it had not officially spoken to anyone about the breach and “most likely” would not do so in the future. The message stated that MGM’s data had been compromised, but the company has refused to engage with the hackers or pay a ransom.
It appears that MGM was not the only casino chain to experience a cyberattack recently. Caesars Entertainment paid millions of dollars to hackers who compromised its systems around the same time as MGM in order to continue normal operations. Caesars disclosed the compromise on September 14 in a filing with the Securities and Exchange Commission, stating that a “outsourced IT support vendor” was the target of a “social engineering attack” that resulted in the theft of sensitive data pertaining to members of its customer loyalty program.
The putative representative of Scattered Spider told the Financial Times that the group was not responsible for the attack, despite the fact that the method is very similar to those allegedly employed by Scattered Spider and that it occurred around the same time as MGM’s. Nonetheless, another group appears to deny that Scattered Spider was responsible for any of the attacks, or at least that the reported events are in accurate.
Why vishing succeeds
Although we do not yet have confirmation of who or how MGM was attacked, the alleged method, vishing, is a well-known cyberthreat that many organizations have not adequately protected themselves against. As with all social engineering techniques, vishing, a portmanteau of “voice” and “phishing,” targets the vulnerable link in the cybersecurity chain: us. More than ninety percent of cyberattacks begin with phishing, and it is also one of the most common methods by which organizations are compromised. And vishing is an especially effective offensive method: Targeted phishing attacks that included phone calls in 2022 were found to be three times more effective than those that did not.
Peter Nicoletti, global chief information security officer of cybersecurity company Check Point Software, told Vox, “There is always a back door, and even the best defenses and the most expensive tools can be fooled by a single good social engineering attack.”
Today, ransomware attacks are not uncommon. They’ve shut down key gas pipelines, banks, hospitals, schools, meat producers, governments, and journalism outlets. You would be hard-pressed to locate an industry or sector that hasn’t experienced a ransomware attack at this point. “Vishing,” on the other hand, is a technique that has not received nearly as much attention, but we may see a great deal more of it in the future.
“What we’re seeing, especially in the new age of artificial intelligence, is that attackers are leveraging not only the hacked information they find about you, but also all of your social profile information,” Nicoletti said.
IBM’s “chief people hacker” Stephanie Carruthers employs social engineering to test client organizations’ systems for potential vulnerabilities. This includes vishing, so she has a front-row seat to how it can be utilized to obtain access to a target.
“From the perspective of the attacker, vishing is simple,” she told Vox. “With phishing, I have to build up infrastructure, I have to craft an email and do all these extra technical things. Vishing, on the other hand, involves contacting someone and requesting a password reset. It’s a fairly easy task.”
One of the keys to a successful vishing attack is having sufficient knowledge of a target system, company, or employee to successfully impersonate them. You can learn a great deal about individuals and organizations from publicly available information, including the identities of companies’ high-value targets.
“It makes the job of an attacker so much easier,” Carruthers stated. This is the first stage in creating a successful vish: utilizing LinkedIn and other types of people-searching engines. From there, the perpetrator can employ additional social engineering techniques, such as imbuing a request with a sense of authority or urgency. Organizations with insufficient verification procedures to confirm the caller’s identity are particularly vulnerable. Carruthers continued, “This is something that occurs frequently.”
Companies frequently ignore vishing in employee cybersecurity training, and they do not require individuals like Carruthers to test for vishing vulnerabilities, as they do for phishing. A highly publicized assault such as MGM’s could alter this. However, it may also contribute to an increase in vishing attacks as other hackers observe its success.
So, how can you safeguard yourself? When it comes to attempts to vish you personally, the same general principles about being cautious about what information you share and with whom you share it apply. Avoid disclosing your login credentials and passwords, and be wary of your publicly available information, as it may be used against you (or to impersonate you in order to deceive someone else). Verify the identity of individuals before engaging with them. Use unique passwords for each of your accounts so that if someone gains access to one, they cannot access the others, and use multi-factor authentication as an additional layer of security.
In this instance, however, there is little people can do when a company they entrusted with their data did not have adequate systems in place to secure it, as the majority of companies do not. However, there are steps they can take after the fact to mitigate any potential damage. Nicoletti advises MGM customers to verify their bank statements to see if their debit card numbers were compromised, and if so, to request a new card. Additionally, he warns MGM customers to be particularly wary of emails purporting to be from the company, in case the hackers obtained their email addresses. And under no circumstances should you click on any URLs or provide credentials when prompted.
Carruthers advises MGM customers to be on the alert for strange credit card charges. She also suggests they consider freezing their credit, which is free and simple to do and prevents identity fraudsters from opening credit cards in their name.
Read More Story Like this
