Business owners, if you think your IT systems are completely locked down and beyond the reach of cybercriminals, we invite you to think again: some of the biggest casinos in the world were hacked recently, in a social engineering attack that bypassed what were, presumably, incredibly stringent cybersecurity measures.
After all, there’s a lot of money at stake at casinos, so we imagine their IT systems would be locked down tighter than the employee break room at an Amazon warehouse.
Not so much, apparently.
Hacked by Social Engineering
On or about the 10th of September, hackers managed to breach the security at several MGM Resorts casinos, including the Bellagio, Aria, and Mandalay Bay, using social engineering. By gathering information on one of the higher-ups in the business from publicly accessible online sources and accurately impersonating them to the Help Desk to get a password reset, the hackers gained access to MGM Resorts’ systems. Once in, they encrypted a large amount of important data and demand money to unlock it.
As part of their response, MGM shut down many of its IT systems, resulting in outages of systems that control bookings, slot machines, credit card processing, room key cards, and more. As you might imagine, this caused chaos, not to mention massive financial losses, as MGM resorted to manual systems to prevent the total shutdown of their operations.
A hacker group calling itself Scattered Spiders claimed responsibility for the hack. Thought to be a group comprised of young US and European hackers by analysts with a firm command of the English language, it’s believed that their English fluency contributed to the believability of their impersonation of the employee whose profile they used in the attack.
Hacker groups from countries where English is not the main language tend to raise suspicion when attempting similar attacks; someone sounding like Ivan from Vladikavkaz but claiming to be Matthew from Accounting is far less believable than a fluent English speaker claiming to be a known upper manager.
As of September 20, MGM Resorts has indicated that their operations have mostly returned to normal, with only a few residual system issues remaining. That means the attack and its effects lasted for a full 10 days which, in the business world, is an eternity. With daily turnover of millions of dollars under normal circumstances, a ten-day shutdown is an unmitigated disaster for the organisation.
There’s a lesson here for all of us: reviewing and updating authentication procedures regularly is of paramount importance for every business that relies on its IT systems for day-to-day operations. That means using two or more authentication factors to secure access to important systems.
For example, you could look into the following:
- Implementing Authenticator Apps
- Using physical key fobs that generate random numbers to confirm identity
- Biometric authentication (fingerprint/iris scanners)
- Activating Windows Hello on laptops that support it
Additional training for helpdesk staff can also help to secure against future social engineering attacks. You could also hire a security consultant to do “penetration testing”, which can help you learn where your security is weakest and what you can do to change that.
At the end of the day, nobody wants their operations to be disrupted by a cyberattack that takes them offline for days on end.
So we encourage you to learn from this incident and do whatever you can to beef up your IT security. Educate your staff, talk to your IT provider about it, but perhaps most importantly, make sure you have a backup plan in case something does happen. Rather plan for the worst-case scenario than be caught unprepared.
Because if an organisation with so much to lose can fall victim to an attack, so can you.