A new report released Wednesday by a group of sector-specific cybersecurity consortia, led by the Financial Services Information Sharing and Analysis Center (FS-ISAC), warns financial institutions and other companies of the persistent and evolving threat posed by the cybercrime group known as Scattered Spider.
The group’s success largely stems from its highly effective social engineering techniques and its speed and adaptability in targeting.
FS-ISAC and the other sector-specific groups “assess with high confidence that Scattered Spider presents a real threat, and that its ability to exploit human vulnerabilities through social engineering makes the group a significant risk to organizations,” according to the report.
For U.S. banks and credit unions, Scattered Spider poses a direct and proven danger. In May 2024, Scattered Spider was the primary reason for a two-week increase by FS-ISAC in the overall cyber threat level in the Americas region, according to
That previous report called the threat actor “credible” and “sophisticated.”
MGM and Caesars compromises
Scattered Spider gained notoriety for its
In the MGM Resorts attack, Scattered Spider “socially engineered MGM Resorts’ helpdesk personnel [to] bypass multi-factor authentication and log into accounts for which they had acquired valid login credentials,”
They specifically targeted accounts with high-level privileges within MGM Resorts’ Okta system, enabling them to impersonate any user and abuse single sign-on access to other applications.
This attack enabled the group to deploy ransomware to around 100 servers and steal data, resulting in a six-hour outage and a $100 million hit to MGM’s Q3 results, according to Push Security.
Caesars Entertainment, affected at the same time as MGM, disclosed a data breach that compromised drivers’ license numbers and Social Security numbers for an undisclosed number of Caesars loyalty program members.
Caesars reportedly paid a $15 million ransom to Scattered Spider in an attempt to prevent the stolen data from being leaked.
How Scattered Spider exploits victims
Scattered Spider uses a number of tactics, techniques and procedures that are relevant to the financial sector.
Social engineering is core
The group heavily relies on social engineering to gain initial access, often by posing as employees or contractors to IT help desks to trick support staff into resetting passwords, providing sensitive information, transferring multi-factor authentication (MFA) to their devices, or convincing users to run remote access tools.
They use “insider jargon” and “leaked employee data” to sound authentic, and sometimes employ “MFA fatigue” attacks by sending repeated notifications until a user accepts.
Identity provider targeting
Scattered Spider actively targets identity providers like Okta and Microsoft Entra, compromising administrator accounts to achieve “unrestricted access” to identities within the identity provider system, akin to a total compromise.
They have been observed configuring secondary identity providers to enable impersonation of a privileged user across multiple systems, strengthening their persistence.
Data exfiltration and ransomware
The group’s primary objective is financial gain through data exfiltration and extortion.
They steal data using various methods, including legitimate SaaS services like Dropbox and FiveTran to extract high-value databases such as Salesforce and ZenDesk.
They then typically deploy ransomware, such as BlackCat (ALPHV), Ransom.Hub, Qilin, and DragonForce, often targeting cloud server environments like VMware ESXi. This flexible approach allows them to switch ransomware tools if one is stopped.
Detection evasion
Scattered Spider is adept at evading detection. They use “short-lived domains” for phishing pages that “mimic legitimate login portals,” making detection difficult, according to Push Security.
They also use “custom subdomains” that appear legitimate, like it[.]com and us[.]com, and employ commercial toolkits for vulnerability hunting, like Evilginx, to bypass MFA and evade detection.
The group has even joined victim organizations’ incident remediation and response calls, “likely to identify how security teams are hunting them and proactively develop new avenues of intrusion,” according to the report released Wednesday.
How banks can avoid Scattered Spider’s wrath
To combat Scattered Spider, the cross-sector mitigations document does not provide one silver bullet.
Rather, it provides a list of recommendations “drawn from FS-ISAC’s cyber fundamentals, a risk-based, defense-in-depth approach of baseline cybersecurity necessities applicable to organizations at any level of cyber maturity.”
Some of these recommendations include:
- Use a multi-channel verification process, such as verifying password reset requests made over email with a call bank on a known phone number.
- Focus on social engineering tactics, such as by tailoring security awareness training to specific roles.
- Review social media profiles of admins, particularly cloud admins, for information that threat actors can use to tailor their attacks.
- Assess helpdesk access rights to ensure that helpdesk agents are granted least necessary permissions.
- Monitor virtual machines in cloud environments by, for example, watching for disallowed activities.