Social engineering strikes Vegas. What can we learn? 

by | December 7, 2023

One cybersecurity philosophy can be succinctly summarized in a sentence, as follows: replacing bricks in a wall doesn’t stop the foundation from crumbling. Filling gaps in your security posture doesn’t stop the whole thing from collapsing without a solid foundation. Bad actors use an incredibly wide variety of methods to attack your organization– no matter how strong your passwords or how robust your firewalls, there is always a back door, a new method, or another opportunity to breach your perimeter. Hackers know this, but businesses often don’t.  

A holistic and regimented approach that takes into account all factors and all possibilities is the only way to ensure that your business is protected. Customers tend to jump from one point solution to the next, driven by what they perceive as gaps in their security posture and looking to fill those. It’s important that we, as experts, caution against that in favor of a holistic approach, especially when we consider the uptick in the number and sophistication of attacks across the globe today. Let’s examine one such attack and how it brought down two of the country’s most successful casinos.  

Social engineering: What happens in Vegas…

There’s one specific method that even businesses who think they are taking a holistic approach often leave out of the equation – and unfortunately, it’s a very common and successful vector of attack by far.  

Social engineering is the practice of using human psychology and behavioral patterns to deceive people into giving up private information or taking actions that lead to attack. You’ve heard the term “conman.”  You may not realize that the derivation of the “con” part of the word is “confidence”.  The techniques they employ work because of a human cognitive bias called truth default theory. We, as humans, are generally wired to be trusting of people rather than skeptical. This leaves us open to manipulation. 

An example in the context of cybersecurity is phishing, an attack method that utilizes false pretenses to gain information from unsuspecting folks through emails, text messages, and even live interactions.  

In the past quarter, a pair of Las Vegas’s largest casinos (as well as three additional companies outside of the casino industry) were crippled by cyberattacks.  MGM Resorts hit losses to the tune of $100 million USD  as a result, and shortly thereafter, Caesars Entertainment  fell victim, too. The attack forced an incredibly costly shutdown for MGM, with hotel keys and slot machines malfunctioning among other technology issues, and both companies saw at least some customer data– including driver’s license numbers, birthdays, and in Caesars’ case, social security numbers – stolen or exposed in the attack. MGM claimed that the threat actors managed to steal the personal information of customers who transacted with MGM before March 2019,” with details and extent varying by customer, and Caesar’s “noted that the stolen personal data included names and driver’s license numbers and/or identification card numbers.” Their filing indicates that financial information and payment details were not accessed.  

While Caesar’s rushed to pay the $15 million ransom to the hacker group ALPHV, MGM refused to pay out, and reverted to additional human labor and analog solutions to keep their doors open.  

One would assume these casinos, two of the world’s richest, would have a significant budget for a defensive cybersecurity posture that would make it incredibly difficult for bad actors to gain control of their network. And, they may. The weakness that let a ransomware group walk through the door of the corporate IT network of these two casinos wasn’t a technical one, it was a human one: social engineering.  

The scammers utilize “SMS text phishing and phone calls to help desks to attempt to obtain password resets or multifactor bypass codes,” says AP, referencing a Mandiant post that explains the series of threats perpetrated by hacker group UNC3944. Unfortunately, it’s relatively simple to convince a human employee to participate in these scams, especially when, as this group does, the attacker utilizes legitimate and recognizable software in their attempts. They will request 2FA authentication or password resets from employees, who – unknowingly, of course – provide them, thinking the request is legitimate, or will request specific information from helpdesk personnel that allows them to steal credentials.  

As I mentioned, social engineering is largely underestimated and overlooked by even the most mindful and thorough organizations. That’s perhaps why it is the most successful attack method, a catalyst for 16% of companywide data breaches that carries, on average, a $4.91 million price tag. In fact, more than 90% of all attacks begin with phishing.   

It’s time to take a truly holistic approach by mitigating the inherently human risks that are posed by social engineering. Below, you’ll find my expert recommendations for mitigating your risk against the bad guys, putting a stop to social engineering techniques used against your employees.  

1. Education

Most companies don’t know the half of phishing – how can we expect employees to? While many of us think we can scope out a faux email or text message scam, other psychological factors come into play when we’re speaking to someone over the phone. Phone conversations are inherently more vulnerable and personal, therefore inspire greater trust– and, with the necessity of timely responses, those on the receiving end of a scam are given much less time to think and examine a situation, such as checking credentials or thinking critically about the information being requested.  

It’s crucial to train employees to question communications, even those that appear official, and to proceed with calm through steps like:  

  • Verify the caller: request additional confirmation to ensure that the given name can be verified, or that the call matches the phone number on record 
  • Ask questions: request further details about why information is needed, and then double check with involved parties about the emerging situation 
  • Be skeptical: offers, sales, and contest winnings that sound too good to be true often are. Think twice before believing any communications about these things  
  • Follow protocol: follow the guidelines set by IT and leadership to handle phone calls and requests  

In addition to these best practices, it’s important that administrators and leaders themselves are up-to-date on the newest threats and scams making the rounds, and pass this education on to staff. Each day, phishing scams grow more sophisticated, and a revolving door of updated knowledge is necessary to stay ahead of the game. Especially with the emergence of helpdesk, 2FA, and password scams with real, live people on the other end.  

2. Systematize and Create a Cadence

Systematizing your security creates a regimen – if every X number of months a password change prompt is sent, and it is enforced by IT, that means passwords get changed when they’re supposed to be. These and other cybersecurity hygiene practices need to be set at a regular cadence to establish a culture of ongoing vigilance and maintenance.  

Regular parts of your cybersecurity process should include:  

  • Password changes  
  • Mandatory training 
  • Education and updates on evolving threats and tactics 
  • PEN testing 
  • Vulnerability assessments  
  • Patch management and software updates  

When it comes to cybersecurity, you can’t set it and forget it. Establishing policies is useless without enforcing them, and maintaining the practices you’ve put in motion keeps the foundation of your cybersecurity programs and practices intact. Doing regular surprise drills, whether in house or using a third party, is a great way to test your policies and enforce governance.  

3. Put the Philosophy in Place

There are several philosophies that organizations may subscribe to in order to stay safe. One of the most common is “trust but verify,” the name of which is coined from a Russian proverb about healthy skepticism. It operates as you’d expect: a previously logged-in or verified user is NOT automatically granted access to systems and programs. It seems rational to assume that, once a password is entered from a certain IP, that IP can be registered with access to the network and programs. But in fact, this approach may be obsolete in the age of password theft and phishing. After all, it only takes one leak to sink the boat– and as with the case of the recent casino hits, attacks of large scale don’t happen in just one day. Small infiltrations can fly under the radar, empowering hackers to take what they need to pull off a big breach. In the aforementioned case, hackers systematically targeted “small” breaches through phone and text interactions, allowing them to take a larger share of credentials, which ultimately led to the extreme conditions seen in both casinos and other retailers. This is why users that have access to one system, or can provide some authentication, should not be automatically granted access. Trust the source, but verify their identity.  

A better framework for processes to operate in to mitigate social engineering attacks exists – Zero Trust. The Zero Trust methodology works off of a continuous verification process that ensures that one successful login doesn’t lead to all successful logins. Often, bad actors breach one area of the business and use that access to breach other areas, for example, getting in through a sales program and using that entry point to then breach the account management program. Threat containment is crucial to lessening the impact of a potential breach. In a time where cyberattacks are so vicious, so sophisticated, and so prevalent, it’s critical to adopt a model like Zero Trust. It operates systematically against this method of breaching, and so should your company: by making no assumptions except that a user is unauthorized until proven otherwise.  

What to do next

You’ve heard it by now and I’ll say it again: when it comes to cybersecurity attacks, it’s not a matter of if, but when an incident occurs. Modern cybersecurity is sprawling and complex, with an immense amount of moving parts. Failures occur at many turns: a failure to maintain posture, a failure to recognize threats, a failure of imagination. Worst of all is a failure to prepare.  

Organizations need to play this out through incident response planning, tabletop exercises, any method for casting a net around the future. Ask yourself and your team the following questions: 

  • Where might a breach be most likely to occur? 
  • In which tangible ways could it affect us– which systems are vulnerable, which might go down, which might need to be shut down, what information or asset is at stake? 
  • What are our first steps and who are our first calls?  
  • Would we or would we not pay a ransom? 
  • What tools and systems do we have (or need) to get things up and running? 
  • Whose responsibility lies where?  

Do you know the answers to these questions? Better yet, have you ever been asked, or asked yourself, these questions? Now is the time to start. Proactivity is a salve on a painful situation, helping you minimize the risk of worse outcomes.  

In this industry and in the world at large, education is power. There are communities of people like myself and my colleagues who are dialed into cybersecurity, that are sharing information and offering their knowledge and services to keep you safe in a way that may be unattainable with limited resources, manpower, and experience.  

Against the complexities of cybersecurity and the mounting threats against your organization, UPSTACK offers precision and the robust, holistic protection you need today. 

You don’t have to defend your company alone. Find the signal through the noise with UPSTACK. Learn how our experts can help with your cybersecurity solutions.