Over 500 Scattered Spider Phishing Domains Poised to Target Multiple Industries
A recent discovery by Check Point researchers has identified over 500 suspected Scattered Spider phishing domains, indicating the group's preparations for a broader range of industry targets. The finding suggests that Scattered Spider is expanding its reach beyond technology, retail, and aviation sectors, which have already been targeted in recent months.
The domains in question appear to follow Scattered Spider's known naming conventions, suggesting that the group is developing phishing infrastructure that is either in use or being prepared for future attacks. While not all of these domains are confirmed to be actively malicious, their alignment with known tactics, techniques, and procedures (TTPs) strongly suggests targeting intent.
The group's cross-sector targeting demonstrates an opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical. This adaptability makes it challenging for organizations to anticipate and defend against Scattered Spider's attacks.
Advanced Social Engineering and Post-Compromise Tactics
Scattered Spider employs advanced social engineering techniques, such as targeted phishing and phone impersonation, to capture credentials of third-party IT providers. This initial access is designed to enable longer-term access to target organizations, utilizing typosquatted domains and phishing frameworks to bypass multifactor authentication (MFA).
The group uses a range of remote access tools post-compromise to maintain long-term access. These include legitimate tools like TeamViewer, ScreenConnect, and Splashtop, as well as malicious ones such as the credential dumping tool Mimikatz. Common infostealer malware like Raccoon Stealer and Vidar Stealer are also used to exfiltrate data from victims.
Furthermore, Scattered Spider leverages ransomware-as-a-service (RaaS) infrastructure provided by groups like DragonForce to launch ransomware attacks on targets. This hybrid approach makes it difficult for organizations to distinguish between legitimate and malicious tool usage.
Scattered Spider Linked to Retail and Airline Attacks
In recent months, Scattered Spider was linked to a series of high-profile ransomware attacks on retailers, including Marks & Spencer (M&S), The Co-op, and Harrods. These attacks resulted in significant financial costs and operational disruption.
In June, the FBI warned that Scattered Spider is actively targeting airlines with ransomware and data extortion attacks. Major airlines such as WestJet Airlines, Hawaiian Airlines in the US, and Australia-based Qantas have reported recent cyber incidents, including a breach of customer data at Qantas, which has been linked to an unknown perpetrator.
Defending Against Scattered Spider Tactics
To defend against Scattered Spider attacks, organizations should consider the following recommendations:
- Implement robust security measures, including multifactor authentication and regular software updates.
- Conduct thorough threat assessments to identify potential vulnerabilities in your organization's systems.
- Leverage advanced threat protection solutions, such as those offered by Check Point.
- Foster a culture of cybersecurity awareness within your organization to prevent social engineering attacks.
By understanding Scattered Spider's tactics and taking proactive measures to defend against its attacks, organizations can minimize the risk of successful phishing attempts and protect their sensitive data.