Scattered Spider: Understanding Help Desk Scams and How to Defend Your Organization

In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone.

This coverage is extremely valuable for the cybersecurity community as it raises awareness of the battles that security teams are fighting every day. But it’s also created a lot of noise that can make it tricky to understand the big picture.

The headline story from the recent campaign against UK retailers is the use of help desk scams. This typically involves the attacker calling up a company’s help desk with some level of information — at minimum, PII that allows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account.

Help Desk Scams 101

The goal of a help desk scam is to get the help desk operator to reset the credentials and/or MFA used to access an account so the attacker can take control of it. They’ll use a variety of backstories and tactics to get that done, but most of the time it’s as simple as saying “I’ve got a new phone, can you remove my existing MFA and allow me to enroll a new one?”

From there, the attacker is then sent an MFA reset link via email or SMS. Usually, this would be sent to, for example, a number on file — but at this point, the attacker has already established trust and bypassed the help desk process to a degree. So asking “Can you send it to this email address” or “I’ve actually got a new number too, can you send it to…” gets this sent directly to the attacker.

At this point, it’s simply a case of using the self-service password reset functionality for Okta or Entra (which you can get around because you now have the MFA factor to verify yourself), and voila, the attacker has taken control of the account.

And the best part? Most help desks have the same process for every account — it doesn’t matter who you’re impersonating or which account you’re trying to reset. So, attackers are specifically targeting accounts likely to have top-tier admin privileges — meaning once they get in, progressing the attack is trivial, and much of the typical privilege escalation and lateral movement is removed from the attack path.

So, help desk scams have proved to be a reliable way of bypassing MFA and achieving account takeover — the foothold from which to launch the rest of an attack, such as stealing data, deploying ransomware, etc.

Don’t be fooled — this isn’t a new development

But something that’s not quite coming across in the reporting is that Scattered Spider has been doing this successfully since 2022, with the M&S and Co-op attacks merely the tip of the iceberg. Vishing (calling a user to get them to give up their MFA code) has been a part of their toolkit since the beginning, with the early attacks on Twilio, LastPass, Riot Games, and Coinbase involving some form of voice-based social engineering.

Notably, the high-profile attacks on Caesars, MGM Resorts, and Transport for London all involved calling a help desk to reset credentials as the initial access vector.

• Caesars in August 2023 where hackers impersonated an IT user and convinced an outsourced help desk to reset credentials, after which the attacker stole the customer loyalty program database and secured a $15m ransom payment.
• MGM Resorts in September 2023, where the hacker used LinkedIn information to impersonate an employee and reset the employee’s credentials, resulting in a 6TB data theft. After MGM refused to pay, the attack eventually resulted in a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m.
• Transport for London in September 2024 resulted in 5,000 users’ bank details being exposed, 30,000 staff required to attend in-person appointments to verify their identities and reset passwords, and significant disruption to online services lasting for months.

So not only have Scattered Spider (and other threat groups) been using these techniques for some time, but the severity and impact of these attacks have been ramping up.

Avoiding help desk gotchas

There’s lots of advice for securing help desks being circulated, but much of the advice still results in a process that is either phishable or difficult to implement.

Ultimately, organizations need to be prepared to introduce friction to their help desk process and either delay or deny requests in situations where there’s significant risk. So, for example, having a process for MFA reset that recognizes the risk associated with resetting a high-privileged account:

• Require multi-party approval/escalation for admin-level account resets
• Require in-person verification if the process can’t be followed remotely
• Freeze self-service resets when suspicious behavior is encountered (this would require some kind of internal process and awareness training to raise the alarm if an attack is suspected)

And watch out for these gotchas:

• If you receive a call, good practice is to terminate the call and dial the number on file for the employee. But, in a world of SIM swapping, this isn’t a foolproof solution — you could just be re-dialing the attacker.
• If your solution is to get the employee on camera, increasingly sophisticated deepfakes can thwart this approach.

But, help desks are a target for a reason. They’re “helpful” by nature. This is usually reflected in how they’re operated and performance measured — delays won’t help you to hit those SLAs! Ultimately, a process only works if employees are willing to adhere to it — and can’t be socially engineered to break it. Help desks that are removed from day-to-day operations (especially when outsourced or offshored) are also inherently susceptible to attacks where employees are impersonated.

But, the attacks we’re experiencing at the moment should give security stakeholders plenty of ammunition as to why help desk reforms are vital to securing the business (and what can happen if you don’t make changes).

Comparing help desk scams with other approaches

Taking a step back, it’s worth thinking about how help desk scams fit into the wider toolkit of tactics, techniques and procedures (TTPs) used by threat actors like Scattered Spider.

Scattered Spider has heavily relied on identity-based TTPs since they first emerged in 2022, following a repeatable path of bypassing MFA, achieving account takeover on privileged accounts, stealing data from cloud services, and deploying ransomware (principally to VMware environments).

• Credential phishing via email and SMS (smishing) to harvest passwords en masse
• Using SIM swapping (where you get the carrier to transfer a number to your attacker-controlled SIM card) to bypass SMS-based MFA
• Using MFA fatigue (aka. push bombing) to bypass app-based push authentication
• Using vishing (i.e. directly calling a victim to social engineer their MFA code, as opposed to a help desk attack)
• Social engineering domain registrars to take control of the target organization’s DNS, hijacking their MX records and inbound mail, and using this to take over the company’s business app environments
• And latterly, using MFA-bypass AiTM phishing kits like Evilginx to steal live user sessions, bypassing all common forms of MFA (with the exception of WebAuthn/FIDO2)

Scattered Spider phishing pages running Evilginx. Source: Researchers at SilentPush

So, help desk scams are an important part of their toolkit, but it’s not the whole picture. Methods like AiTM in particular have spiked in popularity this year as a reliable and scalable way of bypassing MFA and achieving account takeover, with attackers using these toolkits as the de facto standard, getting creative in their detection evasion methods and in some cases, evading standard delivery vectors like email altogether to ensure the success of their phishing campaigns.

Scattered Spider are consciously evading established security controls

So, there’s more to Scattered Spider’s toolkit than just help desk scams. In fact, their approach can be broadly classified as consciously evading established controls at the endpoint and network layer by targeting identities.

From the point of account takeover, they also follow repeatable patterns:

• Harvesting and exfiltrating data from cloud and SaaS services, where monitoring is typically less consistent than traditional on-premise environments, and exfiltration often blends in with normal activity. Many organizations simply don’t have the logs or visibility to detect malicious activity in the cloud anyway, and Scattered Spider have also been seen tampering with cloud logs (e.g. filtering risky AWS CloudTrail logs, but not disabling it entirely so as not to raise suspicion).
• Targeting VMware environments for ransomware deployment. They do this by adding their compromised user account to the VMware admins group in VCentre (if needed — they are going after accounts with top tier privileges by default). From here, they can access the VMware environment via the ESXi hypervisor layer, where security software is nonexistent — thereby bypassing EDR and other typical endpoint and host based controls you rely on to prevent ransomware execution.

The key theme? Getting around your established security controls.

Conclusion

You can think of Scattered Spider as a kind of “post-MFA” threat actor that does everything they can to evade established security controls. By targeting identities and account takeovers, they bypass endpoint and network surfaces as much as possible, until the very end of the attack chain — by which point it’s almost too late to be relying on those controls.

So, don’t over-index on help desk scams — you need to consider your broader identity attack surface and various intrusion methods, from apps and accounts with MFA gaps, local accounts giving attackers a backdoor into accounts otherwise accessed with SSO, and MFA-bypassing AiTM phishing kits that are the new normal for phishing attacks.

Defend your organization from Scattered Spider TTPs (not just help desk scams)

To learn more about Scattered Spider’s identity-first toolkit, which is increasingly being adopted as standard by threat groups, check out the latest webinar from Push Security — now available on-demand!

Learn how Push Security stops identity attacks

Push Security provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.

If you want to learn more about how Push helps you detect and defeat common identity attack techniques, book some time with one of our team for a live demo.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.