Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed Scattered Spider target over 30 companies, and they continue to launch attacks, rapidly deploying infrastructure and disciplined attacks lasting only a few hours.
We believe these attacks are followed by sim swapping attacks to potentially complete access to sensitive corporate data and assets. Defenders should monitor lookalike domains and train employees to spot phishing and credential stealing attacks.
Executive Summary
Scattered Spider (aka 0ktapus, UNC3944, Roasted Oktapus, Scatter Swine, Octo Tempest, and Muddled Libra) is a financially motivated threat actor group active since May 2022[1][2]. Researchers attributed the hacks of MGM and Caesars’ casinos to Scattered Spider, indicating that the group is a BlackCat/AlphV affiliate[3]. We assess Scattered Spider to be native English-speaking threat actors who launch campaigns that feature adversary-in-the-middle (AiTM), social engineering, and SIM-swapping techniques. Throughout 2023, the group was increasingly aggressive and broadened its industry targeting. Since late 2023, Scattered Spider has targeted the Food Services, Insurance, Retail, Tech, and Video Game industries with fake Okta and CMS login pages.
Key Takeaways
- Scattered Spider uses lookalike domains to conduct phishing attacks.
- Scattered Spider targets their victims with fake Okta and CMS pages.
- Regularly check for and monitor lookalike domains.
- Train employees to identify lookalike domains and sign-in pages.
- Educate employees about targeted phishing, smishing, and fishing.
Background on Scattered Spider
Scattered Spider is an Advanced Persistent Threat (APT) group that has conducted financially motivated attacks since early 2022[1]. During their first year of operation, they primarily targeted telecommunication firms to gain access to cellular account systems to conduct SIM swaps against other targets[2]. The group is unique in its cavalier contact with victims; Scattered Spider is known to call employees at victim organizations to socially engineer them [2]. During the summer of 2023 Scattered Spider changed their targeting and began working with BlackCat/ALPHV to ransom large, lucrative companies like Caesars Entertainment and MGM Resorts[3]. Scattered Spider has continued targeting large corporations and telecommunication providers, but they are unique in targeting specific victims instead of opportunistically attacking them[3].
OKTA Campaigns
Scattered Spider conducts spear phishing campaigns using purchased lookalike domains of their targets and uses them to host fake Okta login pages. In a November 2023 CISA report, the FBI disclosed that they had seen Scattered Spider use phishing domains in the format of “`victimname-sso[.]com“`, “`victimname-servicedesk[.]com“`, and “`victimname-okta[.]com“`.
Pivoting from this information, we discovered other Okta phishing sites that used the same Tactics, Techniques, and Procedures (TTPs) as the sites seen by CISA and the FBI. Our first lead was “telnyx-sso[.]com“`, which briefly hosted an Okta phishing page on October 10th, 2023. Analysts at Silent Push[4] also attributed this site to Scattered Spider.
This first page provided us with two key fingerprints. The first is a vulgar link that exists within almost all of these phishing pages, the “Need help signing in?” link takes the user to “`https://n*gg*[.]okta[.]com/help/login“` (The domain has been censored with asterisks due to the hateful language it contains). This link takes users to a real Okta subdomain that hosts Okta help documentation. It is unclear if Scattered Spider registered this subdomain and why after six months, it has not been taken down by Okta. The second identifiable fingerprint we found is that the form on these phishing pages sends a POST request to “`/f*ckyou[.]php“`(The domain has been censored with asterisks). This was seen across all of the Okta phishing pages we discovered over the past six (6) months that were a part of this campaign.
These fingerprints and the pages found with them match what we know about Scattered Spider. The group is mainly comprised of brazen teens and young adults suspected of being members of the Star Fraud group [5]. This group is connected to a larger loosely affiliated criminal community called The Com. This community has recently made headlines due to the vulgar and violent nature of some of its members [6][7]. A report from Group-IB also claims that Scattered Spider also used a phishing kit that extracted data to a telegram chat called “`₿ Bored N*gg*s INC ₿“` (The telegram channel name has been censored with asterisks due to the hateful language it contains) [8]. The vulgarity displayed in the creation of this campaign fits well with the general culture of Star Fraud and The Com.
As this campaign continues into 2024, it became apparent that Scattered Spider has expanded its targeting to the Food Services, Insurance, Retail, Tech, and Video Game industries in addition to its usual Telecom targets. A recent attack occurred on April 4th, 2024, and targeted Charter Communications with the domains “charter-vpn[.]com“` and “chartervpn[.]com“`.
CMS Campaigns
Resilience has attributed the following campaign to Scattered Spider due to its strong overlap in targeting, TTPs, infrastructure, and timeline. This spearphishing campaign uses lookalike domains of their targets with fake CMS login pages. These pages all contain the HTML title CMS Dashboard Login and follow a domain naming scheme similar to the Okta campaign. We have repeatedly seen these pages used to target the same organization as the Okta login pages within 12-48 hours.
Domain Formats
Through our research and tracking of Scattered Spider, we have found that they are now using other similar naming schemes. In the most recent attacks we’ve discovered over the past six months, all these domains have hosted fake Okta Sign-In pages with the following domain name formats:
| victimname-sso[.]com | victimname-servicedesk[.]com | victimname-okta[.]com |
| victimname-vpn[.]com | victimname-hr[.]com | victimname-hrs[.]com |
| victimnamevpn[.]com | connect-victimname[.]com | victimnameplus[.]com |
| victimnameLt[.]com | on-victimname[.]com | victimname-corp[.]com |
| victimname-usa[.]com | victimnameworkspace[.]com | victimnamecorp[.]com |
| victimnamework[.]com | victimnamedev[.]com | victimname-dev[.]com |
Other commonalities we have found in Scattered Spiders phishing pages is:
OS: Ubuntu
Software: Nginx and Apache
Hosting Companies: Digital Ocean, Hostinger, BL Networks (BLNWX), The Constant Company (AS-CHOOPA), Namecheap
Domain Registrars: NiceNIC, Registrar.eu, Namecheap
TLS Certs: R3 (Let’s Encrypt), Sectigo (Namecheap free TLS cert)
Detecting Lookalike Domains
Thanks to open-source developers, any security analyst or system administrator can use simple web-based and command-line tools to discover and monitor lookalike domain names. One popular tool is dnstwist(https://github.com/elceef/dnstwist), which provides an automated workflow for finding new domains pretending to be your organization. We also recommend that organizations train their employees about lookalike domains and how to spot phishing pages that use identical-looking images and logos.
You can find our IOCs for Scattered Spider lookalike domains on our GitHub.
Citations
[1]https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/
[2]https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
[3]https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
[4]https://www.silentpush.com/blog/scattered-spider/
[5]https://www.reuters.com/technology/cybersecurity/fbi-struggled-disrupt-dangerous-casino-hacking-gang-cyber-responders-say-2023-11-14/
[6]https://www.vice.com/en/article/y3wwj5/bloodied-macbooks-stacks-of-cash-inside-the-comm-discord-servers
[7]https://www.404media.co/inside-the-com-world-war-robberies-brickings-and-drama/
[8]https://www.group-ib.com/blog/0ktapus/
This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.
