Scattered Spider targets finance and insurance firms with lookalike domains and fake login pages, conducting rapid, short-lived campaigns to steal credentials and assets. They also deploy SIM swapping to gain broader access to sensitive corporate data, prompting defenders to monitor lookalikes and train staff to spot credential theft attempts. #ScatteredSpider #0ktapus #SIMswap #Okta #MGMResorts #CaesarsEntertainment
Keypoints
- Scattered Spider uses lookalike domains and login pages to target finance and insurance industries.
- The group is linked to attacks on MGM Resorts and Caesars, expanding to 30+ companies across multiple sectors.
- Campaigns are rapidly executed with infrastructure deployed quickly and attacks lasting only a few hours.
- SIM swapping attacks are used to potentially gain complete access to sensitive corporate data and assets.
- Okta and CMS phishing campaigns rely on lookalike domains and fake login pages to harvest credentials.
- Defenders should monitor lookalike domains and train employees to spot phishing and credential-stealing attempts.
MITRE Techniques
- [T1566.003] Spearphishing via Service – Scattered Spider conducts spear phishing campaigns using lookalike domains of their targets with fake Okta login pages. Quote: ‘Scattered Spider conducts spear phishing campaigns using lookalike domains of their targets with fake Okta login pages.’
- [T1583] Acquire Infrastructure – Rapidly deploying infrastructure and disciplined attacks lasting only a few hours. Quote: ‘rapidly deploying infrastructure and disciplined attacks lasting only a few hours.’
- [T1078] Valid Accounts – SIM swapping attacks to potentially complete access to sensitive corporate data and assets. Quote: ‘We believe these attacks are followed by sim swapping attacks to potentially complete access to sensitive corporate data and assets.’
Indicators of Compromise
- [Domain] phishing domains used for Okta/CMS credential harvesting – victimname-sso[.]com, telnyx-sso[.]com