INTERVIEW ( ) The call came in to the help desk of a large US retailer. A company employee was locked out of his corporate account.
The caller was not a company employee. Jon DiMaggio is a former NSA Analyst who now works at Analyst1 as a Chief Security Strategist. He says that the criminal was a Scattered spider trying to hack into the retailer’s system.
Scattered spider is a cyber-gang that has been linked to SIM swapping and fake IT calls as well as ransomware groups like ALPHV. They have breached major names like MGM, Caesars and keep evolving despite arrests. Mandiant has them under UNC3944 (also known as Octo Tempest). DiMaggio
listened to this call. It was one of their recent attempts to infiltrate American retailers after hitting multiple UK-based stores. He will not name the company but only say that it is a “big US retail organization.” The attempt failed to result in a successful ransomware or stolen data. DiMaggio told The Register
“But I got to listen to the phone calls, and those guys are good,” DiMaggio. Scattered Spider provided the help desk with the employee’s email address and ID. DiMaggio stated that he believed the caller socially engineered the employee in order to obtain the data. “but that is an assumption.”
“The caller had all of their information: employee ID numbers, when they started working there, where they worked and resided,” DiMaggio added. “They were calling from a number that was in the right demographic, they were well-spoken in English, they looked and felt real. They knew a lot about the company, so it’s very difficult to flag these things. When these guys do it, they’re good at what they do.”
The target company had a large security budget and employed several former law enforcement and government infosec officials as well as criminal-behavior specialists on its team. Not every organization has the staffing or resources necessary to defend against these types of attacks, where would-be attackers try to break in through every possible access point.
They’re resourceful, smart, and fast
“They are resourceful, they’re smart, they’re fast,” Mandiant CTO Charles Carmakal said The Register. He added. Marks & Spencer admits cybercrooks stole customer information
Co-op pulled its own plug
This appears to have been the case with British retailer Co-op, which pulled its systems offlinebefore S British govt agents intervene as Harrods becomes the third mega retailer to be attacked by cybercrime
Co-op ripped its own plug.
It appears that this was the case with British retailer Co-op, who pulled their systems offline. Before Scattered Spidercould encrypt A spokesperson told The Register
that
“Following the malicious third-party cyber-attack, we took early and decisive action to restrict access to our systems in order to protect our Co-op,” the ransomware DragonForce had hit Marks & Spencer
The outfit announced that customers would see “improved stock availability in our food stores and online” starting this weekend. It also said it was “working closely” suppliers to restock their brick-and mortar stores. We’re told that all payment forms and systems have been set up across the company. (r)
