The $100 Million Phone Call – Tale of the MGM Hack

In 2008, an Australian man received a $147,000 phone bill while traveling in Europe. It appeared his 12-year-old son was playing a game of “Tap, Tap, Revenge” on his iPhone the whole time. That was quite a bill, but it is peanuts compared to the 10-minute phone call to technical support that cost MGM Resorts close to $100 Million.  

In September of 2023, a group of cyber hackers from the US and UK, ranging in age from 19-22 called Scattered Spider, used social engineering to take down many of the operations of the almost $34 Billion gambling giant. Cyber criminals went to the Linked-In social media page to find an employee that works in IT for MGM Resorts. A member of the State sponsored group named Scattered Spider called the MGM tech support team impersonating a hard-working IT employee that needed a password reset. After 10 minutes on the phone, the hackers owned that account. This was the cornerstone of the operation. If tech support verified who they were talking to prior to resetting the password, this attack may have been less damaging. The helpful tech support worker had an amygdala hijacking. The urgency to help took over the logical part of the brain that would have verified the caller.  

Once in the network, they escalated their privileges (gained admin rights) and found their way into the most valuable computers. The computers were responsible for the hospitality applications used to run the hotels and casinos. The hacking group loaded ransomware on over 100 servers. One by one the ransomware encrypted the systems and the applications crashed. Hotel keys no longer worked. Slot machines were unavailable. Point-of-Sales systems (credit cards) were unable to take payments. Guests were not able to reserve rooms and check in or out. MGM saw operations in eight states affected by the intrusion.  

Because MGM did not immediately pay the ransom, their systems were in a state of upheaval for 10 days. The losses from the disabled slot machines alone cost MGM an estimate of $5 Million a day. Some estimate a total loss of $8.4 Million per day. MGM Resorts International claimed the disruption in service caused a $100 Million loss in the third quarter results. Additionally, they spent another $10 Million on legal fees and technical consulting. As a result of the attack, their stock dropped $850 Million in market value. They have since recovered that loss. However, their biggest loss might be the damage to their reputation.  

Just a week before, another casino giant, Caesars Entertainment, suffered a ransomware attack. In contrast they immediately negotiated the ransom from $30 to $15 Million and saw only minimal disruption. The bright side (if there was one) for both corporations was that they both carried excellent cybersecurity insurance policies which covered the cost.  

There may be legitimate business reasons to pay the ransom, but it comes with an additional ethical price. The ransom you pay funds other elicit criminal activities like drug smuggling and human trafficking. We will save that discussion for another day.  

Don’t think this only happens to huge corporations, it happens to small and medium sized companies every day in America. Employees need cybersecurity training, so they don’t fall for the kind of trick played on MGM. You need to have company policies in place to protect against impersonation. You need business plans such as Incident Response Plans and Contingency of Operation plans developed and ready in case of an attack or disaster.

Keep all that in mind for your business the next time you receive an unexpected call. What will this phone call really cost? 

Original article in the Sierra Vista Herald found here:

Scammed! How Hackers Hijack Your Amygdala

Last week an elderly friend called me. He had been scammed out of $13,000 … almost. RIGHT before he finalized sending the money, he had a lucid moment and thought “this is probably a scam”. He ended the call and phoned his bank. All ended well.

So, what can we do to help our elderly friends and family? They are easy pickins for professional scammers. These scams work because they incite a cognitive response in the mind of the potential victim that causes them to jettison all logic. They simply fall prey to an ancient brain-part — the amygdala. Chris Hadnagy (professional white hat social engineer) references the term “amygdala hijacking”. It’s a term coined by Dr. Daniel Goleman. Hadnagy states scammers use techniques that hijack the amygdala which shuts off the logic center of your brain. The tragic result is that in less than 30 minutes your elderly loved one will transfer tens of thousands of dollars to a person they’ve never met.

According to Hadnagy, there are 4 vectors of social engineering attacks: 1. Phishing. 2. Vishing. 3. SMiShing. 4. Impersonation. I’m sure we could add to or subdivide these categories, but this is enough for now.

Phishing is typically an email delivery. That’s how my friend was targeted. He received an email informing him his Norton antivirus subscription had just been renewed for $250. He was kindly informed to “call this number if you’d like to cancel.” Panic set in. The amygdala hijack was on. He completely ignored the fact he NEVER had a Norton antivirus account.

Vishing uses the same content essentially as a phishing email but delivered over a phone call. SMiShing is the same – except over text message. Impersonation is an in-person visit from someone pretending to be someone like phoneline repair or a plumber.

In almost all these cases the scam works because the content of the message causes the victim to immediately panic. The anger, fear, or excitement they feel disables all the logic which they would normally use to make informed decisions. This is where the amygdala takes center stage. Logic takes a lunch break.

It’s here that the scammer handholds the victim all the way through the scam. They promise to fully refund the victim’s money. This makes the amygdala happy. The scammers convince the victim to let them remote connect to their computer. Next, they do some confusingly technical looking things to build false trust. But it’s all a ruse. The scammer is counting on the good heart and trusting character of the victim. Trust and honesty make them the perfect victim.

To protect yourself and your loved ones, here are a few rules:

1. Trust no one.

2. If you get any kind of communication you didn’t expect, pay attention to your feelings. Does it make you anxious in any way? Then it’s a scam.

3. If the message you received claims your bank account or credit card have been charged, close the message and contact your bank using a known-good number.

4. If the message appears to come from a government agency, close the message and contact the agency using a known good number.

5. Every organization that deals with your money has a fraud department. Contact them. They can help you get things straightened out.

6. Contact the Cyber Guys at CyberEye.

Original Article appeared in the Sierra Vista Herald here

The Cyber Guys: Are we going to have a catastrophic cyber event in 2024?

What would happen to the country if most of the internet went down for a day? 

In January 2023, the World Economic Forum released a cybersecurity report that found 93% of cyber leaders, and 86% of cyber business leaders believe geopolitical instability makes a catastrophic cyber event likely in the next two years.  Nation states may focus on cyber warfare to accomplish their objectives rather than kinetic alternatives.

With major wars going on in Gaza and Ukraine, that could look like an attack on critical infrastructure as a response to American policy in either region.  On a small scale, this has already happened.  In November the federal Cybersecurity and Infrastructure Security Agency revealed hackers had breached computers at “less than 10” water facilities in different parts of the United States. U.S. and Israeli authorities issued an advisory confirming that hackers had “accessed multiple U.S.-based” water facilities that operate Israeli-made equipment, likely by breaking into internet-connected devices with default passwords.

The U.S. and Israeli government agencies blamed hackers affiliated with the Islamic Revolutionary Guard Corps, a military branch of the Iranian government, for the activity.

In December the Jerusalem Post reported a significant cyberattack that impacted Israeli emergency services. Cyberattacks on critical infrastructure, such as emergency services, can result in response time delays, compromised communication systems, and even the loss of sensitive data. These attacks not only put lives at risk but also have far-reaching societal and economic implications.

The hacking goes both ways.  A hacking group previously linked to Israel, known as “Gonjeshke Darande” or “predatory sparrow,” claims it took down 70% of the gas stations in Iran by gaining access to the payment systems.

But geopolitical instability is not the only threat in cyberspace. The WEF conducted cybersecurity scenario simulations in 2020 and 2021 called Cyber Polygon. In the 2020 exercise, it predicted the world would experience a “digital pandemic.” There could be a virus that mass-infects internet-connected devices similar to how the coronavirus mass-infected the physical world.  In the case of a “digital pandemic,” the infection would spread so much faster the only answer might be to remove devices from the internet so they don’t get infected — effectively shutting down the internet for a time.  

The 2021 Cyber Polygon exercise focused on an attack on third-party supply chains where major organizations were “collateral damage” of the attack.  For example, in February 2022, a cyberattack on commercial satellite services in Ukraine caused electricity-generating wind farms to shut down across central Europe. In July 2021, supermarkets in Sweden were forced to close their doors after a cyberattack on IT services provider Kaseya, based in Florida.

But wait, there’s more! Cybercrime has become big business. Cybercrime is expected to grow from $3 trillion in 2015 to $10.5 trillion in 2025.  Crime ranges from phishing emails looking for $100 Amazon gift cards, to social engineering of crypto wallets producing millions, to ransomware that affects small town business and huge multinational businesses alike. 

As a business owner, what can you do to protect yourself?  Are you doomed?

Of course not, you can set up a defense-in-depth strategy to protect your data. Change the default passwords on all your devices.  Use good password hygiene.  Set up multi-factor authentication on your systems wherever you can. Back up your data. Implement application whitelisting that allows only approved applications to run. Train your employees how to identify malware and social engineering schemes.  Have a Business Associate agreement in place. Create an incident response plan in case of a cyber incident and develop a disaster recovery plan in case you lose access to all your data.

If a catastrophic event does occur in 2024, you can survive and thrive if you properly prepare. Want to learn how?  Ask the Cyber Guys from CyberEye.


Stay secure while preparing for the new year

The new year is upon us!
Whether you are posting pictures from the holidays on social media, creating a new year budget, or setting up that gifted smart TV, cybercriminals are finding ways to sneak their scams into these exciting times. As you take on whatever the new year throws at you, make sure your journey includes staying cyber secure.

There are many resources and programs online you can use to help accomplish fitness and health goals. When searching for gyms, workout plans, or healthy recipes, watch out for scams. Some of these scams are nothing more than misleading ads, while others result in no product being delivered at all. Be wary of any pills, diets, or programs that promise immediate results.

The new year is a great time to look at finances. With the rise of online shopping, it can be difficult to keep track of purchases. Set a routine to check your transactions on debit and credit cards and look for any suspicious charges you didn’t make. Many people are using budgeting apps. Make sure to read reviews and research the app before downloading or entering your personal information on it. Avoid entering your banking information on unknown apps.

Online surveys may seem like an easy way to make money, but it is important to do your research before participating. Many of these sites are scams. If the money offered seems too high or if a reward is offered just for signing up, it is likely a scam. Be careful with your personal information. Read the privacy policy and leave the survey immediately if the questions ask for sensitive information.