Wednesday, January 15, 2025
Homecyber securityScattered Spider Attacking Finance & Insurance Industries WorldWide

Scattered Spider Attacking Finance & Insurance Industries WorldWide

Published on

Hackers very frequently target the finance and insurance sectors due to the large volumes of sensitive data that they own.

These areas manage huge quantities of valuable as well as critical financial information, personal identities, and intellectual property.

When their system is breached, threat actors may be able to access bank accounts or credit card details and other key exploitable information to manipulate it for financial gain through extortion or fraud.

Moreover, considerable ransom requests can be made using these critically important areas where their operations are interfered with.

Cybersecurity researchers at Resilience recently discovered that Scattered Spider has been actively attacking the finance and insurance industries worldwide.

Scattered Spider

The Scattered Spider, a group of hackers that has gained fame from breaching the likes of MGM and Caesars Casino, has now widened its attack to insurance companies and banks.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers 

For instance, they may use misleading domains that are almost indistinguishable from the real ones, timed to strike at the most opportune time and use forceful aggressive attacks that last for only a few hours. 

They even go as far as swapping SIM cards to gain remote control over targeted systems consequently emphasizing the urgency for robust impersonation defenses against phishing and credential thefts.

BlackCat (also known as AlphV), which is an affiliate of some other relentless group in no way loses its threatening quality with more than 30 victims so far in government agencies, this means defenders should be more vigilant.

Scattered Spider, the Advanced Persistent Threat group, has been pursuing attacks motivated by finances since 2022.

For SIM-swapping capabilities, this bold rival first targeted telecommunications companies before going ahead to contact victims directly in an effort to get socially engineer access.

By 2023, they had switched their focus to partnering with BlackCat ransomware creators making it possible to successfully breach Caesars Entertainment and MGM Resorts which are some of the most important targets.

There is a recent strategy change in Scattered Spider’s campaigns which now involve an intricate selection process that only goes for high-value organizations on the corporate level instead of taking advantage of any available target.

These crafty groups’ multi-tiered tactics still keep telecom providers at the inlet, which necessitates constant alertness, reads the Resilience Report.

Scattered Spider has the bold strategy of buying look-alike domains to impersonate victims such as “victimname-sso.com” where they host fake Okta login pages.

telynyx Okta phishing site (Source – Resilience)

These phishing sites have uncouth fingerprints, a “Need help?” that links to a real Okta subdomain but with a wrong name, and form submissions going towards “/f*ckyou.php.” 

Believed to be part of Star Fraud or The Com hacker community notorious for their illicit actions, Scattered Spider is said to have used an offending named Telegram channel in data extraction. 

Charter Communications Okta phishing page (Source – Resilience)

Starting by targeting telecoms initially, this group has gone rogue into food, insurance, retail, technology, and gaming industries as shown by their recent attack on Charter Communications using charter-vpn.com domains.

Asurion CMS phishing page and Asurion Okta phishing page (Source – Resilience)

Scattered Spider has been identified with a spearfishing campaign that exploited lookalike domains, and fraudulent CMS login pages titled “CMS Dashboard Login” masquerading as Okta campaigns and lasted for 12-48 hours before targeting the same organizations.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...