24.2k unique visitors in the last 3 days

Experts Say ‘Phishing Resistant’ Authentication Needed to Counter Scattered Spider SIM Swaps

A detailed advisory from the FBI and CISA describes Scattered Spider hackers as 'experts in social engineering'.

New recommendations for how to mitigate the risks posed by the Scattered Spider hacking collective have emphasized the danger posed by sending one time passwords (OTPs) using a comms channel that could be compromised through a SIM swap fraud. The Scattered Spider hackers, who are also sometimes called 0ktapus, Starfraud, UNC3944 or Scatter Swine, have gained great notoriety after attacking a string of high-profile businesses including the recent breach of systems belonging to entertainment megacorporations MGM and Caesars. The new advisory notice, which was jointly issued by the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA), describes Scattered Spider as “experts in social engineering” who have repeatedly shown their ability to undermine multi-factor authentication (MFA).

Various public reports indicate Scattered Spider have:

  • posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain
    credentials from employees and gain access to the network;
  • posed as company IT and/or helpdesk staff to direct employees to run commercial remote
    access tools enabling initial access;
  • posed as IT staff to convince employees to share their OTP;
  • sent repeated MFA notification prompts leading to employees pressing the ‘accept’ button, otherwise known as MFA fatigue;
  • convinced mobile operators to transfer control of a targeted user’s phone number to a SIM card
    they controlled, gaining control over the phone and access to MFA prompts; and
  • monetized access to victim networks in numerous ways including extortion enabled by
    ransomware and data theft.

Several known sim swappers have referred to the importance of identifying employees of businesses like telcos so they can then be tricked or corrupted. This is reinforced by the advisory notice.

Scattered Spider intrusions often begin with broad phishing and smishing attempts
against a target using victim-specific crafted domains… In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt.

Once they have obtained a single foothold, the hackers will socially engineer other staff in order to gain access to corporate systems.

The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII, and conducting SIM swaps, the threat actors then use social engineering techniques to convince IT help desk personnel to reset passwords and/or MFA tokens to perform account takeovers against the users in single sign-on (SSO) environments.

This prompts one obvious recommendation for how to strengthen an organization’s defenses.

Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.

There has been a lot of hullabaloo recently about slowing growth in the A2P SMS market, not least because an increasing number of companies want to reduce reliance on OTPs sent by SMS. The end of the A2P SMS gold rush will not result in much sympathy from anyone outside of the telecoms industry. SMS was never designed to be a secure communications channel, and telcos do not pay their staff enough to guarantee they will not be bribed or tricked into executing a SIM swap. So whilst telcos profited from the extra A2P SMS traffic they carried, it was inevitable that there would be a reputation cost when telcos are blamed for SIM swaps. The irony is that the same weaknesses have been used to breach data from telcos too, including Twilio and T-Mobile US.

The joint FBI-CISA advisory on Scattered Spider can be found here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email