cyber resilience framework
Threatonomics

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Flashy hacks like MGM got our attention, but Scattered Spider is still here, and targeting insurance companies

by Resilience Threat Intelligence
Published

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed Scattered Spider target over 30 companies, and they continue to launch attacks, rapidly deploying infrastructure and disciplined attacks lasting only a few hours.

We believe these attacks are followed by sim swapping attacks to potentially complete access to sensitive corporate data and assets. Defenders should monitor lookalike domains and train employees to spot phishing and credential stealing attacks.

Executive Summary 

Scattered Spider (aka 0ktapus, UNC3944, Roasted Oktapus, Scatter Swine, Octo Tempest, and Muddled Libra) is a financially motivated threat actor group active since May 2022[1][2]. Researchers attributed the hacks of MGM and Caesars’ casinos to Scattered Spider, indicating that the group is a BlackCat/AlphV affiliate[3]. We assess Scattered Spider to be native English-speaking threat actors who launch campaigns that feature adversary-in-the-middle (AiTM), social engineering, and SIM-swapping techniques. Throughout 2023, the group was increasingly aggressive and broadened its industry targeting. Since late 2023, Scattered Spider has targeted the Food Services, Insurance, Retail, Tech, and Video Game industries with fake Okta and CMS login pages.

Key Takeaways

  • Scattered Spider uses lookalike domains to conduct phishing attacks.
  • Scattered Spider targets their victims with fake Okta and CMS pages. 
  • Regularly check for and monitor lookalike domains.
  • Train employees to identify lookalike domains and sign-in pages.
  • Educate employees about targeted phishing, smishing, and fishing.

Background on Scattered Spider

Scattered Spider is an Advanced Persistent Threat (APT) group that has conducted financially motivated attacks since early 2022[1]. During their first year of operation, they primarily targeted telecommunication firms to gain access to cellular account systems to conduct SIM swaps against other targets[2]. The group is unique in its cavalier contact with victims; Scattered Spider is known to call employees at victim organizations to socially engineer them [2]. During the summer of 2023 Scattered Spider changed their targeting and began working with BlackCat/ALPHV to ransom large, lucrative companies like Caesars Entertainment and MGM Resorts[3]. Scattered Spider has continued targeting large corporations and telecommunication providers, but they are unique in targeting specific victims instead of opportunistically attacking them[3]. 

OKTA Campaigns

Scattered Spider conducts spear phishing campaigns using purchased lookalike domains of their targets and uses them to host fake Okta login pages. In a November 2023 CISA report, the FBI disclosed that they had seen Scattered Spider use phishing domains in the format of “`victimname-sso[.]com“`, “`victimname-servicedesk[.]com“`, and “`victimname-okta[.]com“`. 

Pivoting from this information, we discovered other Okta phishing sites that used the same Tactics, Techniques, and Procedures (TTPs) as the sites seen by CISA and the FBI. Our first lead was “telnyx-sso[.]com“`, which briefly hosted an Okta phishing page on October 10th, 2023. Analysts at Silent Push[4] also attributed this site to Scattered Spider. 

Source: Screenshot of the telynyx Okta phishing site

This first page provided us with two key fingerprints. The first is a vulgar link that exists within almost all of these phishing pages, the “Need help signing in?” link takes the user to “`https://n*gg*[.]okta[.]com/help/login“` (The domain has been censored with asterisks due to the hateful language it contains). This link takes users to a real Okta subdomain that hosts Okta help documentation. It is unclear if Scattered Spider registered this subdomain and why after six months, it has not been taken down by Okta. The second identifiable fingerprint we found is that the form on these phishing pages sends a POST request to “`/f*ckyou[.]php“`(The domain has been censored with asterisks). This was seen across all of the Okta phishing pages we discovered over the past six (6) months that were a part of this campaign. 

These fingerprints and the pages found with them match what we know about Scattered Spider. The group is mainly comprised of brazen teens and young adults suspected of being members of the Star Fraud group [5]. This group is connected to a larger loosely affiliated criminal community called The Com. This community has recently made headlines due to the vulgar and violent nature of some of its members [6][7]. A report from Group-IB also claims that Scattered Spider also used a phishing kit that extracted data to a telegram chat called “`₿ Bored N*gg*s INC ₿“` (The telegram channel name has been censored with asterisks due to the hateful language it contains) [8]. The vulgarity displayed in the creation of this campaign fits well with the general culture of Star Fraud and The Com.

As this campaign continues into 2024, it became apparent that Scattered Spider has expanded its targeting to the Food Services, Insurance, Retail, Tech, and Video Game industries in addition to its usual Telecom targets. A recent attack occurred on April 4th, 2024, and targeted Charter Communications with the domains “charter-vpn[.]com“` and “chartervpn[.]com“`. 

Source: Charter Communications Okta phishing page


CMS Campaigns

Resilience has attributed the following campaign to Scattered Spider due to its strong overlap in targeting, TTPs, infrastructure, and timeline. This spearphishing campaign uses lookalike domains of their targets with fake CMS login pages. These pages all contain the HTML title CMS Dashboard Login and follow a domain naming scheme similar to the Okta campaign. We have repeatedly seen these pages used to target the same organization as the Okta login pages within 12-48 hours.

Source: Asurion CMS phishing page and Asurion Okta phishing page

Domain Formats

Through our research and tracking of Scattered Spider, we have found that they are now using other similar naming schemes. In the most recent attacks we’ve discovered over the past six months, all these domains have hosted fake Okta Sign-In pages with the following domain name formats:

victimname-sso[.]comvictimname-servicedesk[.]comvictimname-okta[.]com
victimname-vpn[.]comvictimname-hr[.]comvictimname-hrs[.]com
victimnamevpn[.]comconnect-victimname[.]comvictimnameplus[.]com
victimnameLt[.]comon-victimname[.]comvictimname-corp[.]com
victimname-usa[.]comvictimnameworkspace[.]comvictimnamecorp[.]com
victimnamework[.]comvictimnamedev[.]comvictimname-dev[.]com

Other commonalities we have found in Scattered Spiders phishing pages is:

OS: Ubuntu
Software: Nginx and Apache
Hosting Companies: Digital Ocean, Hostinger, BL Networks (BLNWX), The Constant Company (AS-CHOOPA), Namecheap
Domain Registrars: NiceNIC, Registrar.eu, Namecheap
TLS Certs: R3 (Let’s Encrypt), Sectigo (Namecheap free TLS cert)

Detecting Lookalike Domains

Thanks to open-source developers, any security analyst or system administrator can use simple web-based and command-line tools to discover and monitor lookalike domain names. One popular tool is dnstwist(https://github.com/elceef/dnstwist), which provides an automated workflow for finding new domains pretending to be your organization. We also recommend that organizations train their employees about lookalike domains and how to spot phishing pages that use identical-looking images and logos.

You can find our IOCs for Scattered Spider lookalike domains on our GitHub.

Citations

[1]https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/
[2]https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
[3]https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
[4]https://www.silentpush.com/blog/scattered-spider/
[5]https://www.reuters.com/technology/cybersecurity/fbi-struggled-disrupt-dangerous-casino-hacking-gang-cyber-responders-say-2023-11-14/
[6]https://www.vice.com/en/article/y3wwj5/bloodied-macbooks-stacks-of-cash-inside-the-comm-discord-servers
[7]https://www.404media.co/inside-the-com-world-war-robberies-brickings-and-drama/
[8]https://www.group-ib.com/blog/0ktapus/

This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

You might also like

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]