Posts

, ,

Scattered Spider Attacks Again

Scattered Spider Attacks Again
By Skeeter Wesinger
July 2, 2025

In yet another brazen display of cyber subterfuge, Scattered Spider, the slick, shape-shifting cyber gang with a knack for con artistry, has struck again—this time sinking its fangs into Qantas Airways, compromising data on as many as six million unsuspecting customers. It wasn’t some arcane bit of code that cracked the system. It was human weakness, exploited like a well-worn key.
The breach targeted a third-party customer service platform, proving once again that it’s not always your network that gets hacked—it’s your vendor’s.
A Familiar Pattern, a New Victim
Qantas now joins the growing list of high-profile victims stalked by Scattered Spider, a crew whose previous hits include MGM Resorts, Caesars, Hawaiian Airlines, and WestJet. Their calling card? Social engineering at scale—not brute force, but charm, guile, and just enough personal data to sound like they belong.
They impersonate. They coax. They wear your company’s name like a mask—and by the time IT realizes what’s happened, they’re already inside.
This time, they walked away with customer names, emails, phone numbers, birthdates, and frequent flyer numbers. No passwords or payment data were accessed—Qantas was quick to say—but that’s cold comfort in an age when a birthday and an email address is all that it takes to hijack your digital life.
“Trust, but Verify” is Dead, well, sort of.
As Qantas CEO Vanessa Hudson issued the standard apology—support lines are open, regulators are notified, the sky is still safe. But the real damage isn’t operational. It’s existential. Trust doesn’t come back easy, especially when it’s breached by a whisper, not a weapon.
“We used to worry about firewalls and phishing links,” one insider told me. “Now it’s your own help desk that opens the front door.”
Scattered Spider doesn’t hack computers. They hack people—call center agents, IT support staff, even security teams—using their own policies and training scripts against them. Their English is fluent. Their confidence is absolute. Their patience is weaponized.
The Breach Beneath the Breach
What’s truly alarming isn’t just that Scattered Spider got in. It’s how.
They exploited a third-party vendor, the soft underbelly of every corporate tech stack. While Qantas brags about airline safety and digital transformation, it was a remote call-center platform—likely underpaid, overworked, and under-secured—that cracked first.
We’ve heard this story before. Optus. Medibank. Latitude. The names change. The failures rhyme.
And the hackers? They have evolved.
The Next Call May Already Be Happening
Scattered Spider is a ghost in the wires—a gang of young, highly skilled social engineers, some rumored to be based in the U.S., operating like a twisted start-up. Their tools aren’t viruses—they’re LinkedIn, ZoomInfo, and your own onboarding documents.
What you can do is rethink your threat model. Because the enemy isn’t always a shadowy figure in a hoodie. Sometimes it’s a cheerful voice saying, “Hi, I’m calling from IT—can you verify your employee ID?”
By then, it’s already too late. Need to hire an expert? Call me.

/0 Comments/by
, , , , , , ,

Scattered Spider

Scattered Spider: Impersonation, and Cybersecurity in the Age of Cloud Computing

By Skeeter Wesinger
June 29, 2025

In an era where companies have moved their infrastructure to the cloud and outsourced much of their IT, one old-fashioned tactic still defeats the most modern defenses: impersonation.
At the center of this threat is Scattered Spider, a cybercriminal collective that doesn’t exploit code—they exploit people. Their operations are quiet, persuasive, and dangerously effective. Instead of smashing through firewalls, they impersonate trusted employees—often convincingly enough to fool help desks, bypass multi-factor authentication, and gain access to critical systems without ever tripping an alarm.
This is the cybersecurity challenge of our time. Not ransomware. Not zero-days. But trust itself.
Who Is Scattered Spider?
Known to threat intelligence teams as UNC3944, Muddled Libra, or 0ktapus, Scattered Spider is an English-speaking group that has compromised some of the most security-aware companies in North America. Their breaches at MGM Resorts and Caesars Entertainment made headlines—not because they used sophisticated malware, but because they didn’t have to.
Their weapon of choice is the phone call. A help desk technician receives a request from someone claiming to be a senior executive who lost their device. The impersonator is articulate, knowledgeable, and urgent. They know internal jargon. They cite real names. Sometimes, they even use AI-generated voices.
And too often, it works. The attacker gets a password reset, reroutes MFA codes, and slips in undetected.
The Illusion of Familiarity
What makes these attackers so dangerous is their ability to sound familiar. They don’t just say the right things—they say them the right way. They mirror internal language. They speak with confidence. They understand hierarchy. They’re skilled impersonators, and they prey on a simple reflex: the desire to help.
In the past, we might have trusted our ears. “It sounded like them,” someone might say.
But in the age of AI, “sounding like them” is no longer proof of identity. It’s a liability.
When Cloud Isn’t the Cure
Many organizations have moved to cloud-based environments under the assumption that centralization and managed services will reduce their exposure. In some ways, they’re right: the cloud simplifies infrastructure and offloads security operations. But here’s the truth: you can’t outsource responsibility. The human layer remains—and that’s precisely where Scattered Spider operates.
They don’t need to breach Azure or AWS. They just need to impersonate someone with access to it.
It’s time we stop treating “trust but verify” as a cliché and start treating it as operational policy. Better yet: trust—but always verify. Every request. Every reset. Every exception.
Verification today means more than checking a box. It requires multi-channel authentication. It means never resetting MFA or passwords based solely on a phone call, no matter how credible the caller seems. It means locking down help desk protocols so impersonation doesn’t slip through the cracks.
Security teams must also monitor legitimate tools—like AnyDesk, TeamViewer, and ScreenConnect—that attackers often use once inside. These aren’t inherently malicious, but in the wrong hands, they’re devastating.
And above all, organizations must train their frontline personnel—especially support staff—to treat every identity request with healthy skepticism. If your instinct says something feels off, pause and verify through secure channels. Escalate. Slow down. Ask the questions attackers hope you won’t.
Scattered Spider doesn’t hack your servers. They hack your systems of trust. They bypass encryption by impersonating authority. And they exploit the one vulnerability no software can patch: assumption.
As we continue shifting toward remote work, outsourced IT, and cloud-based everything, the real threat isn’t technical—it’s personal. It’s the voice on the line. The urgent request. The person who “sounds right.”
In this world, cybersecurity isn’t just about what you build. It’s about what you believe—and what you’re willing to question.
Therefore, you have to train your teams. Harden your protocols. And remember in the age of the cloud, the most important firewall is still human.
Trust—but always verify!

/0 Comments/by