A version of this article exists on rAVe [PUBS], written by @Paul Konikowski.

On Sept. 11, 2023, a number of MGM resorts and casinos were simultaneously disrupted by ransomware and data extortion attackers, costing the company $100 million, according to AP News. Caesar’s Entertainment was also attacked, which the Wall Street Journal reported resulted in the company paying roughly half of the $30 million demanded. 

The resorts and casinos were attacked by the Scattered Spider, aka Roasted 0ktapus, aka Muddled Libra, part of the larger ALPHV ransomware group, BlackCat. No, this is not another “Oceans…[number]” film or animated action hero comic book movie. This is Cybersecurity Awareness 101. Take out your pens and pencils, and let’s get started.

According to the cyberattackers, they initially gained access to the MGM computer networks by misleading the IT help desk personnel into resetting their passwords. They did this by looking up an MGM employee on LinkedIn and then calling the help desk asking for a password reset. The initial attack vector had nothing to do with artificial intelligence; it was a basic social engineering attack over the telephone.

It is important to train your staff to be competent using the telephone, even if they “don’t like phone calls.” They need to be able to detect social engineering of all forms, not just email phishing scams. Users need to know about phone phishing scams, vishing, and social engineering using text messages, which is known as SMS phishing or smishing.

Vishing, or voice phishing, is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone. And it can happen to anyone, so it is important to be aware of them. Vishing is not an aspect of the past, but still a huge threat today. Learn more by watching this video here.  

Interested in more tips on how to develop a strong cybersecurity and privacy learning program that keeps your staff vigilant about social engineering scams? Read the rest of Konikowski's article here.