Hacking the Help Desk: How Attackers Talk Their Way Into Company Networks

“The account should be fine,” the caller added. “I mean, I haven’t locked it, it’s just the password issue.”

“Got you,” the help desk employee responded. “Yeah, I can reset it for you.”

With that, the employee had unwittingly been duped by a member of Scattered Spider, a notorious hacking gang believed to be behind recent attacks at MGM Resorts International, Caesars Entertainment, Coinbase and others. (The details of the call were shared by a person familiar with the incident who asked not to be named while discussing confidential matters.) The group, which some security experts also refer to as UNC3944, excels at “social engineering”—the term of art for tricking someone into providing information that can be used for illicit means, like breaking into a computer network. At a time when nations and major corporations are fighting off highly sophisticated attacks, Scattered Spider’s success has shown that rudimentary methods remain effective and hard to defend against.

The help desk call fits a pattern observed by Charles Carmakal, chief technology officer at the cybersecurity firm Mandiant. Carmakal says he’s listened to more than a hundred audio recordings of Scattered Spider hackers trying to con customer service representatives and IT workers with deceptive phone calls. Some of the hackers are “very aggressive,” he says, and make the call center employee “feel like they’re going to get fired or get in trouble.”

Once the hackers get a foothold, they often spend “significant time” searching through documents, resources and internal chat logs to find ways to escalate privileges and remain within the victim’s network, according to Mandiant.

Scattered Spider emerged in 2022, and cybersecurity company Crowdstrike Holdings Inc. has attributed at least 52 cyberattacks to the group since then. Its members are believed to be in the US and UK, some as young as 19. Jeff Lunglhofer, chief information security officer at Coinbase Global Inc., says he’s encountered hackers that he suspects are Scattered Spider on several occasions. “It’s young, articulate males,” he says. “Quick to respond, witty even.”

Lunglhofer detailed how hackers suspected to be Scattered Spider sent text messages to the personal phones of a dozen Coinbase employees, supplying them with a phony link to the company’s portal and urging them to log in to receive an important corporate message. One employee followed the instructions, inadvertently providing the hackers with a username and password. The hackers couldn’t get into the employee’s account because Coinbase requires multifactor authentication. Undeterred, one hacker called the employee shortly thereafter. Claiming to be an IT staffer, the hacker persuaded the person to provide some colleagues’ contact details.

No funds were lost, and no customer information was compromised by the attack, the company says. Still, it was a cautionary tale, as Lunglhofer noted in a Feb. 17 blog post. “If you think you can’t be fooled by a well executed social engineering campaign - you are kidding yourself,” he wrote.

At the annual Def Con hacking conference, a contest is now held each year where hacking experts judge competing teams’ social engineering prowess as they sit in a soundproof box and race to break into a company. The competitors are told their target—this year it was a well-known pizza franchise—and given two months to do research, including finding phone numbers and details about the company’s technology systems. Sponsored by IBM and California-based security company Proofpoint, the contest has strict rules around ethics, including not naming the target publicly. Using threatening language and extracting personally identifiable information from employees is also banned.

At this year’s contest, Jason Puglisi, a 26-year-old application security engineer at Block, walked into the sound booth with an iPad loaded with a 50-page report on the target company. He picked up points by pretending to be an IT worker and persuading receptionists to tell him what time the security guards’ shifts were, how they replaced security badges and what technology the offices used. “Everyone is vulnerable, it really just takes catching someone in the right mindset or if they are stressed,” he says.

Sometimes Puglisi had to deviate from the script, like when the person he reached said they were just filling in and probably couldn’t help him. “When I told them they could help me just as well, they were flattered and shared everything I asked for,” he says. He won the contest, after coming in second in 2022.

Companies and organizations aren’t defenseless against social engineering. David Bradbury, chief security officer at Okta Inc., whose customers have been targeted in attacks believed to be from Scattered Spider, suggests that call centers limit the authority to reset passwords or multifactor authentication for highly privileged accounts to a few highly trusted employees. Coinbase’s Lunglhofer says his company now requires employees to log in with a small USB-type security device that provides additional authentication.

Another way for companies to protect themselves is to stress-test their own systems. Scott Melnick, who leads the security research and development department at Bulletproof, owned by Gaming Labs International, has advised casinos and gaming companies on cybersecurity and software development for years. Last summer he managed to break into the computer network that ran a casino’s cash cage, where customers collect their winnings. Another time he noticed an Ethernet port behind a cashier counter on a casino floor and plugged in when no one was looking.

Hackers could have used such access to install a miniature device that allows remote access to the network, says Melnick. He was eventually outed by a suspicious cashier (he recommended her for a promotion in his report). Melnick says that getting employees to be vigilant about security is important and that companies should get outsiders to test their defenses—and keep workers on their toes. “When the employees know this is happening, it makes them extra skeptical of every call,” he says. —

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.