Scattered Spider, a financially-motivated threat group, is shifting the focus of its credential-stealing intrusion campaign. After targeting telco and BPOs industries for several months, the group has apparently decided to explore new targets across different industry verticles.
Scattered Spider’s new attack campaign
According to the report, which is not yet made public by CrowdStrike, Scattered Spider is now targeting technology and video game companies.
The attacker deployed several phishing pages in January, and a large number of these phishing pages mimic Okta’s login portal. A small number of pages were seen impersonating Microsoft.
These attacks are aimed at IT companies involved in the development of games or financial software.
Diving into details
The attackers are using a long list of typosquatted domains to lure their potential victims. Based on this list, analysts suspect these attackers could be linked to several recent attacks.
One of the registered phishing domains carries the name of the video game developer Riot Games in the URL. The video game giant was hacked last month, and the source code of its popular games League of Legends and the Packman were stolen, although it is not clear if it was done by the same group.
Similarly, a fake domain imitating the email marketing company Mailchimp has been observed. Last month, Mailchimp disclosed an intrusion into its network via phishing emails, although it did not reveal any details about the attacker.
Furthermore, there are fake domains impersonating video game makers Roblox and Zynga; IT giants Intuit, Salesforce, Comcast, and Grubhub; and customer service provider TaskUs.
Attacks on telco and BPO
In June 2022, CrowdStrike researchers observed a rise in the targeting of telco and BPO industries by the threat group.
By the end of 2022, the attackers had reportedly targeted over 130 organizations, stealing the credentials of more than 10,000 employees.
Based on the assessment of the artifacts available, security researchers were able to link these attacks to Scattered Spider aka Roasted 0ktapus.
The bottom line
Scattered Spider group has continued to use the same attack tactics, a combination of phishing emails and typosquatted domains, to target new industry verticals. Moreover, this shift has been observed within a duration of a few months, and experts suspect that the attacker can further shift its focus in the coming months. Thus, organizations are recommended to minimize the risks associated with such threats by implementing anti-phishing and antivirus solutions.