In the blink of an eye, the entertainment giant MGM Resorts International found itself dancing on the razor's edge of cyber catastrophe. Last month, it wasn't a blockbuster movie or a high-stakes poker game that had the world talking; it was a merciless cyber-attack that sent shockwaves through the industry.
What if I told you that the MGM cyber attack wasn't just another headline in the endless stream of data breaches? What if I revealed that it's a stark testament to the relentless evolution of cyber threats, a force that lurks in the shadows of our increasingly interconnected world?
The MGM cyber attack was discovered on September 11, 2023, after MGM Resorts International noticed suspicious activity on its network. MGM, which owns a number of hotels and casinos on the Las Vegas Strip, including the Cosmopolitan, Bellagio and Aria, was targeted by a hacking group. For the next several days, the company's operation was disrupted. Some casinos were forced to close temporarily because of slot machines, table games, and ATMs that weren’t functional. Guests received hand-written receipts to claim their casino winnings. Hotels’ check-in and check-out, room key access, and restaurant reservations were unavailable. Some hotels had to provide physical room keys to their guests.
After discovering the cyber attack, the hospitality giant took a number of steps to respond, these include engaging with cybersecurity experts to contain the attack and determine its scope, notifying law enforcement and relevant government agencies, and implementing additional security measures to protect its systems and data. MGM Resorts International also began working with insurance companies to assess its financial losses from the attack. The company has not released any information concerning this side of the attack.
After not responding to multiple requests for a statement, MGM announced 3 days after the attack that it continues to “work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly.” The company also said, “We couldn't do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers.”
10 days after the attack, MGM announced on September 20 that all of its "hotels and casinos are operating normally." The company also mentioned that “intermittent issues” are to be expected. In the third quarter of 2022, it was reported that MGM Resorts International raked in around $25 million per day, implying that the company is presumably losing millions each day that its hotels, casinos, and restaurants are not fully functional.
The MGM cyber attack is still under investigation, but there’s a huge chance that the attackers were able to steal the personal data of millions of MGM customers. This is not the first time that MGM guests' information has been exposed. In 2020, 10.6 million MGM hotel guests' details were posted on a hacking forum. The leak includes details of government officials, reporters, celebrities, and other high-profile individuals.
There are conflicting reports on who’s responsible for the attack on MGM. Scattered Spiders, who go by other names like Oktapus and Scatter Swine, claimed via Financial Times that they’re responsible for stealing and encrypting MGM’s data. Scattered Spider is reported to be under a ransomware gang called ALPHV or BlackCat.
In a Twitter post, it was revealed that all the group of malicious hackers did to “compromise MGM Resorts” is “hop on LinkedIn, find an employee, then call the Help Desk.” The post also highlighted that the call only took 10 minutes.
It doesn't end there. The gang, whose members’ ages were allegedly around 17-22 years old, also hit the hotel and casino giant Caesars Entertainment. A report from Bloomberg last September 14 stated that the hack started in August by targeting Caesar’s third-party vendors. In another report by The Wall Street Journal, it was discovered that the company paid around $15 million, half of the $30 million that the hackers initially demanded to keep the stolen data from being leaked.
Vishing is a deceptive technique that combines the familiarity of a phone call with the cunning of a cybercriminal and has emerged as a weapon in the arsenal of those wanting to exploit our trust and manipulate our actions.
Vishing, short for "voice phishing," is a social engineering attack that takes place over the phone. It's similar to the traditional phishing emails we've grown wary of, but with a twist—it takes advantage of the human element and the power of voice to deceive victims.
Vishing thrives on the inherent trust we place in phone calls and the human voice. Unlike suspicious emails that may land in our spam folder, a phone call feels more personal and legitimate. This psychological advantage is precisely what makes vishing so insidious and effective.
Once an unknowing victim falls into the trap of voice phishing, the implications can be overwhelming, ranging from personal to financial and even extending into legal troubles and emotional distress. Here's the full spectrum of fallout that can follow a vishing attack:
Vishing adapts to its surroundings, and cyber criminals employ a variety of tactics to ambush their unsuspecting victims. These deceptive techniques span a wide spectrum, each with its own unique flavor of deceit. Here are some of the most common types of vishing attacks:
Attackers use voice-altering technology or mimicry to impersonate someone familiar or authoritative, such as a family member, bank official, or government representative. This plays on the victim's trust in the apparent caller to make them more likely to comply with the attacker's requests.
With the aid of caller ID spoofing services, cybercriminals can manipulate the displayed phone number to make it appear as if the call is coming from a legitimate source. Victims may see a trusted organization's name or number, furthering the illusion of authenticity.
Attackers might leave a convincing voicemail, posing as a reputable entity and urging the victim to return the call urgently. This subverts the victim's sense of urgency and encourages them to interact with the attacker.
Businesses are not immune to vishing attacks. Cybercriminals may target employees by pretending to be IT support or human resources personnel and trick them into revealing sensitive company information or login credentials.
Playing on fear and intimidation, attackers may claim the victim faces dire consequences, such as legal trouble or account suspension, unless they comply with their demands. This tactic aims to push victims into hasty actions.
In a ploy to exploit greed or excitement, attackers may inform victims that they've won a prize or lottery. To claim the supposed reward, the victim is then asked to provide personal information or pay a fee, which leads to financial losses.
Cybercriminals may pose as tech support agents from well-known companies to inform victims of fictitious computer issues. They then guide victims through steps that grant the attacker remote access to the victim's device and pave the way for data theft or malware installation.
Preying on compassion, attackers may pose as representatives of charitable organizations that are soliciting donations. Victims who agree to contribute are tricked into revealing their financial information.
Exploiting global events, vishing attackers have capitalized on the COVID-19 pandemic. They impersonate healthcare professionals, government agencies, or medical organizations to offer bogus information or treatments to prey on victims' fears and concerns.
With advancements in AI and voice synthesis technology, attackers can generate lifelike voice recordings. These synthetic voices may impersonate trusted individuals or entities that can lure victims into complacency.
Preventing vishing scams is a battle against deception, and it calls for a combination of awareness, caution, and protective measures. Here are effective strategies to help you stay one step ahead of vishing attackers:
Multifactor authentication and cutting-edge encryption protocols can only do so much to protect you against malicious actors.
The MGM hack is a prime example of the growing threat of cyber attacks. It is also a reminder that organizations of all sizes, regardless of industry, are vulnerable to something as simple as a spoofing voice call.
Companies often overlook vishing or voice phishing when conducting employee cybersecurity training. Training your product teams with effective and hands-on company-wide security training is a critical step in fortifying your defenses against hackers and cyber criminals. Humans don't have to be your weakest link.
AppSecEngineer, a full-stack security training platform, has an extensive collection of application security resources to help promote security awareness and empower product development teams. Whether you're looking to train your developers or your security engineers, we got you covered!