Admin

Social Engineering Eyed in High-Profile Casino Attacks

By
Services for Real Estate Pros with IDTheftSecurity.com Inc

Social engineering may be behind two high-profile attacks on casino operators Ceasar's and MGM. In an 8-K filing with the Securities and Exchange Commission, Ceasar's Entertainment reported "a social engineering attack on an outsourced IT support vendor used by the Company." Hackers were able to steal data from the Ceasar's loyalty database around September 7, exposing an unknown number of drivers license and Social Security numbers. The Wall Street Journal reported that Ceasar's paid around half of a $30 million ransom demanded by hackers to restore systems and delete stolen information. In their SEC filing, Ceasar's noted that there is no guarantee the criminals will delete the data.

Elsewhere in Las Vegas, MGM systems, including coded room keys, booking systems and slot machines, were turned off following a ransomware attack. Reuters reported that the ransomware attack was attributed to a group known as Scattered Spider, which has previously targeted telecommunications and business outsourcing firms. Scattered Spider is also believed to be behind the Ceasar's attack.

Anatomy of a Social Engineering Attack

In an interview with TechCrunch, an alleged Scattered Spider spokesperson took credit for the MGM social engineering attack but denied involvement with the Ceasar's hack. The spokesperson claimed that they had found information on an employee at an MGM IT vendor via LinkedIn, then called the vendor's help desk to gain access to that person's account.

Social engineering attacks are targeted. The criminal is typically armed with some information about an individual they are attempting to impersonate or persuade. The most sophisticated attackers can now employ artificial intelligence tools that synthesize an individual's voice using just a few seconds of online audio. They will then call people who can grant account access, such as bankers or help desks, using the fake voice in real time to try and gain account access. Employees at companies that are high-value targets, such as hospitals, banks, casinos and telecom providers, and third-party vendors that serve these companies are most likely to be targeted with sophisticated attacks. The larger the potential payout, the more sophisticated the attack will be.

Other social engineering scams are clumsier and should trigger immediate red flags. Someone may call claiming to be a vendor or IT staffer and ask the victim to read out a two-factor authentication code over the phone, defeating the protection this authentication offers. Attacks like this are very common and can happen to any employee in any business.

Scattered Spider is not as sophisticated as some criminal gangs and state-sponsored hackers. They are motivated by money and mainly made up of young people, with one report suggesting they deliberately recruit young teens to avoid significant criminal consequences if they get caught. What business owners should know is that groups like Scattered Spider are sophisticated enough if they can trick employees into providing access or divulging information.

Preventing Social Engineering Attacks

As social engineering attacks become more sophisticated, business owners must double down on cyber security employee training and establish firm protocols that guide information or access requests. Individuals have a responsibility as well, as they must limit the discovery of information that criminals can use in social engineering attacks. Here are five things to do now to reduce your risk:

  1. Review your LinkedIn and social media profiles. Do strangers need to know where you work? Does your profile need to be publicly accessible? For a handful of people, the answer is yes, and those individuals generally take steps to separate their public profile from their private and business profiles. For most workers, the answer is no. Follow this simple rule: The more you share, the less visible your profiles should be. Go ahead and cultivate a professional network on LinkedIn, but limit your visibility to people you know.
  2. Change your passwords. Assume your current username and password are available for sale on the Dark Web. They likely are, making it a matter of time before a criminal connects that information to your workplace accounts. Use separate passwords for work and personal accounts and change them every few weeks, at least four times each year. When criminals see passwords changing, they recognize that you take cyber security seriously and may pass you by in favor of an easier target.
  3. Enable two-factor authentication. This should route access codes to a device that is with you at all times. Never, under any circumstances, share one of those access codes with someone. Two-factor authentication remains one of the strongest protections against account hijacking.
  4. Assess your level of risk. Some companies know they are targets, because they have access to money or personal data. Those companies typically have very strict protocols in place to deter social engineering and phishing attacks. Vendors may not have the same level of protection or training, which gives criminals a back door into secured systems. If you have high-value clients, you must adopt their level of cyber security and train every employee to recognize and respond to attempted cyber attacks.
  5. Require review of access attempts. One of the best protocols to put in place is to require a second set of eyes on any attempt to gain access to accounts via phone, text or email. These requests should route to a higher-level employee who is well-versed in social engineering and phishing attempts. When in doubt, protocols should require a call to the phone number on file for the individual as a final step in approving access. Do not call any other number, and do not use redial, as scammers may spoof an individual's phone number on your devices.

Sophisticated social engineering attacks work because employees trust and want to do a good job. Training must emphasize that security is equally if not more important than customer service. An inconvenienced person may be upset with you briefly. A cyber crime victim will never forget who allowed the attack to happen.

If you need employee training, anti-phishing training, compliance services or guidance on establishing cyber security protocols, please contact us online or call us at 1-800-658-8311.

Show All Comments Sort:
Kathy Streib
Cypress, TX
Home Stager/Redesign

Hi Robert- this will never stop, will it?!  This is why it's important to read about this constantly. I have two-factor authentication now for everything. 

Sep 20, 2023 07:37 PM
Jonas Fiedler
Audio Visions - Mound City, TX

Was für ein interessanter Beitrag! Vielen Dank, dass Sie Tipps geteilt haben, wie Sie sich schützen können. Ich bin erst vor Kurzem in den USA und finde die Zwei-Faktor-Authentifizierung in diesem Fall wahrscheinlich am besten. Ich selbst liebe Casinos und Glücksspiele und habe kürzlich interessante Informationen über mit MGA Lizenz gelesen und empfehle allen, die sich für das Thema Glücksspiele interessieren, sich damit vertraut zu machen. Soziale Ingenieurskunst wird normalerweise zur Beeinträchtigung der Informationssicherheit eingesetzt, und es ist wichtig, Mitarbeiter und die Öffentlichkeit über die Methoden der sozialen Ingenieurskunst zu schulen und zu informieren, wie man sie erkennt und verhindert.

Sep 22, 2023 05:56 AM
Wallace Itsne

Buran Casino review  is a blizzard, usually associated with sandstorms, particularly in Russia and parts of Asia. The word may seem unusual for a casino, but perhaps you can have gaming sessions that seem like a buran. Launched in 2017, Buran Casino features a huge and diverse games library from almost of the topmost gaming studios and then more. There are 95 games providers like Microgaming, Evolution, BetSoft, NetEnt, Playtech, iSoftBet, Yggdrasil, and Thunderkick, etc.

Sep 08, 2024 10:03 PM
Nick Anderson

I don't see the point of life without casinos. Among the many casino sites, some do not inspire confidence, but among all of them, this one inspires more confidence https://avalon-slots.com/. I spin slots on it myself when the gambling mood appears

Jan 17, 2024 12:00 PM
Bertha Kim
IrishCasinoHEX - Beaumont, AB

I've always liked this game because I really enjoyed the feeling of excitement I get when playing it. Therefore, the online casino on the site IrishCasinoHEX for real money is suitable for everyone, because only here there are such excellent conditions. Don't miss the chance to improve your life. I am pleasantly surprised and very pleased to be able to share useful information with you. So drop everything and go to a site that you will definitely like, which is why I haven’t seen any negative reviews yet. If I take this opportunity, I want to bring you good luck, everything will be fine.

Jan 22, 2024 02:25 AM
Nik Jameson

Interesting article! I really love playing this game. With the emergence of new online casinos, I found some information about new casino advantages here. The technology and game variety sound promising, but I'm curious about the user experience. Have any of you tried these new platforms, and how do they compare to more established sites?

Feb 10, 2024 01:44 PM
Elizabeth Turner
Japan - Byron, CA

Olá Depois de experimentar algumas das melhores opções de casinologinportugal.net posso dizer que a experiência foi fantástica. A variedade de jogos, a facilidade de navegação e os bónus generosos fizeram com que a minha estadia nos casinos online fosse muito prazerosa. Recomendo vivamente a todos os jogadores que procuram uma opção de jogo segura, confiável e emocionante que experimentem estes excelentes casinos online portugueses. 

Apr 30, 2024 03:43 PM
Dan Mar

You need to play only in legal and licensed online casinos, then there will be no problems. There are many opinions of different users on the Internet about the online casino license. I personally believe that this should be treated objectively and impartially, because if there is such an organization that gives permission for the operation of gambling clubs, and, moreover, operates legally, and is also in demand, then it has the right to its activities. It also issues licenses to legal online casinos and gambling houses that operate in accordance with accepted regulations and therefore, in most cases, within the framework of the law. Even if you look at the online casino reviews https://jennycasino.com/casinos/ and game bonuses, you will see that many licensed clubs are published there, they are legal and work well, offering good conditions and sometimes generous bonuses, and in general on in good standing and with positive reviews.

May 07, 2024 08:03 AM
Maria Parker

Nugget Slots Casino review is owned and operated by a company called Th Gambling N.V., which is based out of Curacao. This operator is licensed and regulated by the Government of Curacao under license number #356/JAZ. All payments on this platform are processed by THBet B.V., which has a registered office in Eindhoven, Netherlands.

In this review, we’ll explain why NuggetSlots is gaining momentum as an awesome new online casino and provide expert insights into our thoughts on it.

Sep 05, 2024 06:30 AM