cyber resilience framework
Threatonomics

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Flashy hacks like MGM got our attention, but Scattered Spider is still here, and targeting insurance companies

by Resilience Threat Intelligence
Published

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed Scattered Spider target over 30 companies, and they continue to launch attacks, rapidly deploying infrastructure and disciplined attacks lasting only a few hours.

We believe these attacks are followed by sim swapping attacks to potentially complete access to sensitive corporate data and assets. Defenders should monitor lookalike domains and train employees to spot phishing and credential stealing attacks.

Executive Summary 

Scattered Spider (aka 0ktapus, UNC3944, Roasted Oktapus, Scatter Swine, Octo Tempest, and Muddled Libra) is a financially motivated threat actor group active since May 2022[1][2]. Researchers attributed the hacks of MGM and Caesars’ casinos to Scattered Spider, indicating that the group is a BlackCat/AlphV affiliate[3]. We assess Scattered Spider to be native English-speaking threat actors who launch campaigns that feature adversary-in-the-middle (AiTM), social engineering, and SIM-swapping techniques. Throughout 2023, the group was increasingly aggressive and broadened its industry targeting. Since late 2023, Scattered Spider has targeted the Food Services, Insurance, Retail, Tech, and Video Game industries with fake Okta and CMS login pages.

Key Takeaways

  • Scattered Spider uses lookalike domains to conduct phishing attacks.
  • Scattered Spider targets their victims with fake Okta and CMS pages. 
  • Regularly check for and monitor lookalike domains.
  • Train employees to identify lookalike domains and sign-in pages.
  • Educate employees about targeted phishing, smishing, and fishing.

Background on Scattered Spider

Scattered Spider is an Advanced Persistent Threat (APT) group that has conducted financially motivated attacks since early 2022[1]. During their first year of operation, they primarily targeted telecommunication firms to gain access to cellular account systems to conduct SIM swaps against other targets[2]. The group is unique in its cavalier contact with victims; Scattered Spider is known to call employees at victim organizations to socially engineer them [2]. During the summer of 2023 Scattered Spider changed their targeting and began working with BlackCat/ALPHV to ransom large, lucrative companies like Caesars Entertainment and MGM Resorts[3]. Scattered Spider has continued targeting large corporations and telecommunication providers, but they are unique in targeting specific victims instead of opportunistically attacking them[3]. 

OKTA Campaigns

Scattered Spider conducts spear phishing campaigns using purchased lookalike domains of their targets and uses them to host fake Okta login pages. In a November 2023 CISA report, the FBI disclosed that they had seen Scattered Spider use phishing domains in the format of “`victimname-sso[.]com“`, “`victimname-servicedesk[.]com“`, and “`victimname-okta[.]com“`. 

Pivoting from this information, we discovered other Okta phishing sites that used the same Tactics, Techniques, and Procedures (TTPs) as the sites seen by CISA and the FBI. Our first lead was “telnyx-sso[.]com“`, which briefly hosted an Okta phishing page on October 10th, 2023. Analysts at Silent Push[4] also attributed this site to Scattered Spider. 

Source: Screenshot of the telynyx Okta phishing site

This first page provided us with two key fingerprints. The first is a vulgar link that exists within almost all of these phishing pages, the “Need help signing in?” link takes the user to “`https://n*gg*[.]okta[.]com/help/login“` (The domain has been censored with asterisks due to the hateful language it contains). This link takes users to a real Okta subdomain that hosts Okta help documentation. It is unclear if Scattered Spider registered this subdomain and why after six months, it has not been taken down by Okta. The second identifiable fingerprint we found is that the form on these phishing pages sends a POST request to “`/f*ckyou[.]php“`(The domain has been censored with asterisks). This was seen across all of the Okta phishing pages we discovered over the past six (6) months that were a part of this campaign. 

These fingerprints and the pages found with them match what we know about Scattered Spider. The group is mainly comprised of brazen teens and young adults suspected of being members of the Star Fraud group [5]. This group is connected to a larger loosely affiliated criminal community called The Com. This community has recently made headlines due to the vulgar and violent nature of some of its members [6][7]. A report from Group-IB also claims that Scattered Spider also used a phishing kit that extracted data to a telegram chat called “`₿ Bored N*gg*s INC ₿“` (The telegram channel name has been censored with asterisks due to the hateful language it contains) [8]. The vulgarity displayed in the creation of this campaign fits well with the general culture of Star Fraud and The Com.

As this campaign continues into 2024, it became apparent that Scattered Spider has expanded its targeting to the Food Services, Insurance, Retail, Tech, and Video Game industries in addition to its usual Telecom targets. A recent attack occurred on April 4th, 2024, and targeted Charter Communications with the domains “charter-vpn[.]com“` and “chartervpn[.]com“`. 

Source: Charter Communications Okta phishing page


CMS Campaigns

Resilience has attributed the following campaign to Scattered Spider due to its strong overlap in targeting, TTPs, infrastructure, and timeline. This spearphishing campaign uses lookalike domains of their targets with fake CMS login pages. These pages all contain the HTML title CMS Dashboard Login and follow a domain naming scheme similar to the Okta campaign. We have repeatedly seen these pages used to target the same organization as the Okta login pages within 12-48 hours.

Source: Asurion CMS phishing page and Asurion Okta phishing page

Domain Formats

Through our research and tracking of Scattered Spider, we have found that they are now using other similar naming schemes. In the most recent attacks we’ve discovered over the past six months, all these domains have hosted fake Okta Sign-In pages with the following domain name formats:

victimname-sso[.]comvictimname-servicedesk[.]comvictimname-okta[.]com
victimname-vpn[.]comvictimname-hr[.]comvictimname-hrs[.]com
victimnamevpn[.]comconnect-victimname[.]comvictimnameplus[.]com
victimnameLt[.]comon-victimname[.]comvictimname-corp[.]com
victimname-usa[.]comvictimnameworkspace[.]comvictimnamecorp[.]com
victimnamework[.]comvictimnamedev[.]comvictimname-dev[.]com

Other commonalities we have found in Scattered Spiders phishing pages is:

OS: Ubuntu
Software: Nginx and Apache
Hosting Companies: Digital Ocean, Hostinger, BL Networks (BLNWX), The Constant Company (AS-CHOOPA), Namecheap
Domain Registrars: NiceNIC, Registrar.eu, Namecheap
TLS Certs: R3 (Let’s Encrypt), Sectigo (Namecheap free TLS cert)

Detecting Lookalike Domains

Thanks to open-source developers, any security analyst or system administrator can use simple web-based and command-line tools to discover and monitor lookalike domain names. One popular tool is dnstwist(https://github.com/elceef/dnstwist), which provides an automated workflow for finding new domains pretending to be your organization. We also recommend that organizations train their employees about lookalike domains and how to spot phishing pages that use identical-looking images and logos.

You can find our IOCs for Scattered Spider lookalike domains on our GitHub.

Citations

[1]https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/
[2]https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
[3]https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
[4]https://www.silentpush.com/blog/scattered-spider/
[5]https://www.reuters.com/technology/cybersecurity/fbi-struggled-disrupt-dangerous-casino-hacking-gang-cyber-responders-say-2023-11-14/
[6]https://www.vice.com/en/article/y3wwj5/bloodied-macbooks-stacks-of-cash-inside-the-comm-discord-servers
[7]https://www.404media.co/inside-the-com-world-war-robberies-brickings-and-drama/
[8]https://www.group-ib.com/blog/0ktapus/

This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

You might also like

Are You Board Ready? Five Takeaways from Our Panel at RSA

RSA is in the rearview mirror, but we’re still thinking about all the great things we learned by mingling with our peers. We were honored to host an engaged group of attendees as founder Raj Shah moderated a panel discussion entitled “Are you board ready.” Resilience advisor Richard Siersen, Stanley Black & Decker CISO Lucia […]

Breach and Attack Simulations: A Proactive Approach to Loss Prevention 

Today’s CISOs and risk managers need to see around corners to proactively reduce risks before they turn into losses. Increasingly, CISOs also answer directly to the board of directors. No matter how tight you think your controls are or how big your budget is, I promise you things are happening in your environment that you […]

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.