Article Details

Scattered Spider: Understanding Help Desk Scams and How to Defend Your Organization. In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone. This coverage is extremely valuable for the cybersecurity community as it raises awareness of the battles that security teams are fighting every day. But it's also created a lot of noise that can make it tricky to understand the big picture. The headline story from the recent campaign against UK retailers is the use of help desk scams. This typically involves the attacker calling up a company's help desk with some level of information — at minimum, PII that allows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account. Help Desk Scams 101 The goal of a help desk scam is to get the help desk operator to reset the credentials and/or MFA used to access an account so the attacker can take control of it. They'll use a variety of backstories and tactics to get that done, but most of the time it's as simple as saying "I've got a new phone, can you remove my existing MFA and allow me to enroll a new one?" From there, the attacker is then sent an MFA reset link via email or SMS. Usually, this would be sent to, for example, a number on file — but at this point, the attacker has already established trust and bypassed the help desk process to a degree. So asking "Can you send it to this email address" or "I've actually got a new number too, can you send it to…" gets this sent directly to the attacker. At this point, it's simply a case of using the self-service password reset functionality for Okta or Entra (which you can get around because you now have the MFA factor to verify yourself), and voila, the attacker has taken control of the account. And the best part? Most help desks have the same process for every account — it doesn't matter who you're impersonating or which account you're trying to reset. So, attackers are specifically targeting accounts likely to have top-tier admin privileges — meaning once they get in, progressing the attack is trivial, and much of the typical privilege escalation and lateral movement is removed from the attack path. So, help desk scams have proved to be a reliable way of bypassing MFA and achieving account takeover — the foothold from which to launch the rest of an attack, such as stealing data, deploying ransomware, etc. Don't be fooled — this isn't a new development But something that's not quite coming across in the reporting is that Scattered Spider has been doing this successfully since 2022, with the M&S and Co-op attacks merely the tip of the iceberg. Vishing (calling a user to get them to give up their MFA code) has been a part of their toolkit since the beginning, with the early attacks on Twilio, LastPass, Riot Games, and Coinbase involving some form of voice-based social engineering. Notably, the high-profile attacks on Caesars, MGM Resorts, and Transport for London all involved calling a help desk to reset credentials as the initial access vector. So not only have Scattered Spider (and other threat groups) been using these techniques for some time, but the severity and impact of these attacks have been ramping up. Avoiding help desk gotchas There's lots of advice for securing help desks being circulated, but much of the advice still results in a process that is either phishable or difficult to implement. Ultimately, organizations need to be prepared to introduce friction to their help desk process and either delay or deny requests in situations where there's significant risk. So, for example, having a process for MFA reset that recognizes the risk associated with resetting a high-privileged account: And watch out for these gotchas: But, help desks are a target for a reason. They're "helpful" by nature. This is usually reflected in how they're operated and performance measured — delays won't help you to hit those SLAs! Ultimately, a process only works if employees are willing to adhere to it — and can't be socially engineered to break it. Help desks that are removed from day-to-day operations (especially when outsourced or offshored) are also inherently susceptible to attacks where employees are impersonated. But, the attacks we're experiencing at the moment should give security stakeholders plenty of ammunition as to why help desk reforms are vital to securing the business (and what can happen if you don't make changes). Comparing help desk scams with other approaches Taking a step back, it's worth thinking about how help desk scams fit into the wider toolkit of tactics, techniques and procedures (TTPs) used by threat actors like Scattered Spider. Scattered Spider has heavily relied on identity-based TTPs since they first emerged in 2022, following a repeatable path of bypassing MFA, achieving account takeover on privileged accounts, stealing data from cloud services, and deploying ransomware (principally to VMware environments). So, help desk scams are an important part of their toolkit, but it's not the whole picture. Methods like AiTM in particular have spiked in popularity this year as a reliable and scalable way of bypassing MFA and achieving account takeover, with attackers using these toolkits as the de facto standard, getting creative in their detection evasion methods and in some cases, evading standard delivery vectors like email altogether to ensure the success of their phishing campaigns. Learn more about how modern phishing kits are evading detection controls in this on-demand webinar from Push Security. Scattered Spider are consciously evading established security controls So, there's more to Scattered Spider's toolkit than just help desk scams. In fact, their approach can be broadly classified as consciously evading established controls at the endpoint and network layer by targeting identities. From the point of account takeover, they also follow repeatable patterns: The key theme? Getting around your established security controls. Conclusion You can think of Scattered Spider as a kind of "post-MFA" threat actor that does everything they can to evade established security controls. By targeting identities and account takeovers, they bypass endpoint and network surfaces as much as possible, until the very end of the attack chain — by which point it's almost too late to be relying on those controls. So, don't over-index on help desk scams — you need to consider your broader identity attack surface and various intrusion methods, from apps and accounts with MFA gaps, local accounts giving attackers a backdoor into accounts otherwise accessed with SSO, and MFA-bypassing AiTM phishing kits that are the new normal for phishing attacks. Defend your organization from Scattered Spider TTPs (not just help desk scams) To learn more about Scattered Spider's identity-first toolkit, which is increasingly being adopted as standard by threat groups, check out the latest webinar from Push Security — now available on-demand! Learn how Push Security stops identity attacks Push Security provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. If you want to learn more about how Push helps you detect and defeat common identity attack techniques, book some time with one of our team for a live demo.