Popular with:
Security Engineer
Security Champion
Security Architect
Application Security

Ransomware Strikes the Las Vegas Strip: The MGM Cyber Attack

October 10, 2023
Written by
Abhay Bhargav

In the blink of an eye, the entertainment giant MGM Resorts International found itself dancing on the razor's edge of cyber catastrophe. Last month, it wasn't a blockbuster movie or a high-stakes poker game that had the world talking; it was a merciless cyber-attack that sent shockwaves through the industry.

What if I told you that the MGM cyber attack wasn't just another headline in the endless stream of data breaches? What if I revealed that it's a stark testament to the relentless evolution of cyber threats, a force that lurks in the shadows of our increasingly interconnected world?

What happened?

The MGM cyber attack was discovered on September 11, 2023, after MGM Resorts International noticed suspicious activity on its network. MGM, which owns a number of hotels and casinos on the Las Vegas Strip, including the Cosmopolitan, Bellagio and Aria, was targeted by a hacking group. For the next several days, the company's operation was disrupted. Some casinos were forced to close temporarily because of slot machines, table games, and ATMs that weren’t functional. Guests received hand-written receipts to claim their casino winnings. Hotels’ check-in and check-out, room key access, and restaurant reservations were unavailable. Some hotels had to provide physical room keys to their guests.

Image Credits: K.M. Cannon / Las Vegas Review-Journal / Tribune News Service / Getty Images

After discovering the cyber attack, the hospitality giant took a number of steps to respond, these include engaging with cybersecurity experts to contain the attack and determine its scope, notifying law enforcement and relevant government agencies, and implementing additional security measures to protect its systems and data. MGM Resorts International also began working with insurance companies to assess its financial losses from the attack. The company has not released any information concerning this side of the attack.

After not responding to multiple requests for a statement, MGM announced 3 days after the attack that it continues to “work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly.” The company also said, “We couldn't do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers.” 

10 days after the attack, MGM announced on September 20 that all of its "hotels and casinos are operating normally." The company also mentioned that “intermittent issues” are to be expected. In the third quarter of 2022, it was reported that MGM Resorts International raked in around $25 million per day, implying that the company is presumably losing millions each day that its hotels, casinos, and restaurants are not fully functional.

The MGM cyber attack is still under investigation, but there’s a huge chance that the attackers were able to steal the personal data of millions of MGM customers. This is not the first time that MGM guests' information has been exposed. In 2020, 10.6 million MGM hotel guests' details were posted on a hacking forum. The leak includes details of government officials, reporters, celebrities, and other high-profile individuals.

Who’s responsible?

There are conflicting reports on who’s responsible for the attack on MGM. Scattered Spiders, who go by other names like Oktapus and Scatter Swine, claimed via Financial Times that they’re responsible for stealing and encrypting MGM’s data. Scattered Spider is reported to be under a ransomware gang called ALPHV or BlackCat.

In a Twitter post, it was revealed that all the group of malicious hackers did to “compromise MGM Resorts” is “hop on LinkedIn, find an employee, then call the Help Desk.” The post also highlighted that the call only took 10 minutes.

It doesn't end there. The gang, whose members’ ages were allegedly around 17-22 years old, also hit the hotel and casino giant Caesars Entertainment. A report from Bloomberg last September 14 stated that the hack started in August by targeting Caesar’s third-party vendors. In another report by The Wall Street Journal, it was discovered that the company paid around $15 million, half of the $30 million that the hackers initially demanded to keep the stolen data from being leaked.

Let's talk about vishing (voice phishing)

Vishing is a deceptive technique that combines the familiarity of a phone call with the cunning of a cybercriminal and has emerged as a weapon in the arsenal of those wanting to exploit our trust and manipulate our actions.

A study shows that in America alone, over $68.4 million were lost through vishing scams in 2022. In another study, it was revealed that vishing attacks rose by almost 550% from Q1 2021 to Q1 2022.

Vishing, short for "voice phishing," is a social engineering attack that takes place over the phone. It's similar to the traditional phishing emails we've grown wary of, but with a twist—it takes advantage of the human element and the power of voice to deceive victims.

The standard pattern of vishing attacks

  1. The Initial Call. The attacker, often with stolen or faked caller ID information to appear legitimate, makes an unsolicited call to the victim. They might pose as a trusted entity, such as a bank, government agency, or even a tech support representative from a well-known company.
  2. Creating Urgency. The attacker's script usually involves a sense of urgency or fear, compelling the victim to take immediate action. For example, they might claim there's a security breach on the victim's account, an impending legal issue, or an unpaid bill that needs immediate attention.
  3. Gaining Trust. Vishing perpetrators excel in the art of manipulation. They employ psychological tactics to gain the victim's trust and cooperation. This might involve dropping personal details about the victim that were harvested from previous data breaches to create an illusion of authenticity.
  4. Directing the Victim. Once trust is established, the attacker directs the victim to take specific actions. This can range from divulging sensitive information like Social Security numbers, bank account details, or passwords, to instructing the victim to visit malicious websites or download malicious software.
  5. The Sting. The final act of this con is the extraction of valuable information or the installation of malware on the victim's device, all under the guise of resolving an urgent issue.

Vishing thrives on the inherent trust we place in phone calls and the human voice. Unlike suspicious emails that may land in our spam folder, a phone call feels more personal and legitimate. This psychological advantage is precisely what makes vishing so insidious and effective.

Implications of vishing

Once an unknowing victim falls into the trap of voice phishing, the implications can be overwhelming, ranging from personal to financial and even extending into legal troubles and emotional distress. Here's the full spectrum of fallout that can follow a vishing attack:

  • Financial Loss. Vishing can lead to immediate and severe financial losses, including drained bank accounts and fraudulent charges.
  • Identity Theft. Vishing provides cyber criminals with the tools to commit identity theft that involves victims' credit scores and financial stability.
  • Data Breaches. Organizations may suffer data breaches if vishing compromises an employee, resulting in intellectual property theft and reputational damage.
  • Emotional Distress. Victims of vishing experience emotional distress like feeling violated and anxious about financial and legal consequences.
  • Legal Consequences. Victims may face legal troubles if their compromised information is used in criminal activities which usually leads to a struggle to clear their name.
  • Trust Erosion. Vishing attacks erode trust within society, making people increasingly skeptical of legitimate phone calls.
  • Reputation Damage. For businesses, vishing can damage their reputation, loss of clientele, revenue, and market standing.
  • Extended Threats. Vishing can open the door to further cyber crimes as attackers pivot to other exploits, expanding the threat landscape and increasing potential damages.

Common types of vishing scams

Vishing adapts to its surroundings, and cyber criminals employ a variety of tactics to ambush their unsuspecting victims. These deceptive techniques span a wide spectrum, each with its own unique flavor of deceit. Here are some of the most common types of vishing attacks:

Voice Impersonation

Attackers use voice-altering technology or mimicry to impersonate someone familiar or authoritative, such as a family member, bank official, or government representative. This plays on the victim's trust in the apparent caller to make them more likely to comply with the attacker's requests.

Caller ID Spoofing

With the aid of caller ID spoofing services, cybercriminals can manipulate the displayed phone number to make it appear as if the call is coming from a legitimate source. Victims may see a trusted organization's name or number, furthering the illusion of authenticity.

Vishing via Voicemail

Attackers might leave a convincing voicemail, posing as a reputable entity and urging the victim to return the call urgently. This subverts the victim's sense of urgency and encourages them to interact with the attacker.

Employee Credential Vishing

Businesses are not immune to vishing attacks. Cybercriminals may target employees by pretending to be IT support or human resources personnel and trick them into revealing sensitive company information or login credentials.

Threats and Fear

Playing on fear and intimidation, attackers may claim the victim faces dire consequences, such as legal trouble or account suspension, unless they comply with their demands. This tactic aims to push victims into hasty actions.

Prize Scams

In a ploy to exploit greed or excitement, attackers may inform victims that they've won a prize or lottery. To claim the supposed reward, the victim is then asked to provide personal information or pay a fee, which leads to financial losses.

Tech Support Scams

Cybercriminals may pose as tech support agents from well-known companies to inform victims of fictitious computer issues. They then guide victims through steps that grant the attacker remote access to the victim's device and pave the way for data theft or malware installation.

Charity Scams

Preying on compassion, attackers may pose as representatives of charitable organizations that are soliciting donations. Victims who agree to contribute are tricked into revealing their financial information.

COVID-19 Scams

Exploiting global events, vishing attackers have capitalized on the COVID-19 pandemic. They impersonate healthcare professionals, government agencies, or medical organizations to offer bogus information or treatments to prey on victims' fears and concerns.

Voice Synthesis

With advancements in AI and voice synthesis technology, attackers can generate lifelike voice recordings. These synthetic voices may impersonate trusted individuals or entities that can lure victims into complacency.

How To prevent vishing scams

Preventing vishing scams is a battle against deception, and it calls for a combination of awareness, caution, and protective measures. Here are effective strategies to help you stay one step ahead of vishing attackers:

  1. Verify Caller Identity. Never blindly trust caller ID information. If you receive an unexpected call from a bank, government agency, or any organization, verify their identity independently. Look up their official phone number from their website or official documents, and call them back to confirm the legitimacy of the call.
  2. Question Urgency. Vishing attackers often create a sense of urgency or fear. Take a step back and consider if the situation genuinely demands immediate action. If in doubt, verify the claims with the purported organization through official channels.
  3. Protect Personal Information. Never disclose sensitive information such as Social Security numbers, banking details, or passwords over the phone unless you initiated the call to a trusted and verified source. Legitimate entities won't ask for such information over the phone.
  4. Be Skeptical of Unsolicited Calls. Treat unsolicited calls with skepticism. If someone calls you unexpectedly with an offer that sounds too good to be true or requests personal information, remain cautious. Trust your instincts, and don't be rushed into making decisions.
  5. Educate Yourself and Others. Awareness is your first line of defense. Stay informed about common vishing tactics and educate your family, friends, and colleagues about them as well. A community that's vigilant is less likely to fall prey to vishing attacks.
  6. Use Call-Blocking Apps. Consider using call-blocking apps or services that can help filter out known spam or scam calls. These apps can significantly reduce the number of fraudulent calls you receive.
  7. Voicemail Screening. Let unknown callers leave a voicemail. Legitimate callers will often leave a message. Review the content of the voicemail and verify the caller's identity before taking any action.
  8. Secure Personal Information. Protect your personal and financial information by using strong, unique passwords for accounts and enabling two-factor authentication where possible. This can thwart attackers even if they manage to gather some information about you.
  9. Stay Updated. Keep your phone's operating system, apps, and security software up to date. These updates often include security patches that can help protect against various types of attacks.
  10. Report Suspicious Calls. If you receive a suspicious vishing call, report it to the appropriate authorities or organizations. This can help them take action against the perpetrators and protect others from falling victim.
  11. Check Your Accounts Regularly. Regularly review your financial statements, bank accounts, and credit reports for any unauthorized or suspicious activity. Early detection can minimize the damage caused by vishing attacks.
  12. Use Multifactor Authentication (MFA). Enable MFA for your accounts whenever possible to add an extra layer of security by requiring you to verify your identity through other means, such as a one-time code sent to your phone.

Empower your product teams against vishing

Multifactor authentication and cutting-edge encryption protocols can only do so much to protect you against malicious actors.

The MGM hack is a prime example of the growing threat of cyber attacks. It is also a reminder that organizations of all sizes, regardless of industry, are vulnerable to something as simple as a spoofing voice call.

Companies often overlook vishing or voice phishing when conducting employee cybersecurity training. Training your product teams with effective and hands-on company-wide security training is a critical step in fortifying your defenses against hackers and cyber criminals. Humans don't have to be your weakest link. 

AppSecEngineer, a full-stack security training platform, has an extensive collection of application security resources to help promote security awareness and empower product development teams. Whether you're looking to train your developers or your security engineers, we got you covered! 

With our expert-led courses, your teams can learn to mitigate security threats before they can even happen. Check out our plans here to get started!

Source for article
Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).

Abhay Bhargav


Contact Support


1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023