Click Here to watch our latest tech talk and learn more about social engineering attacks
In recent news, MGM and Caesar’s casino in Las Vegas fell victim to a significant cyber attack, highlighting the vulnerability of even the largest organizations. Despite having substantial IT security budgets, these casinos were targeted successfully by hackers.
The MGM and Caesar’s Casino Cyber Attack: A Lesson in Social Engineering
The world has recently witnessed a surge in cyberattacks targeting organizations of all sizes. No longer confined to Hollywood blockbusters, these attacks have become a grim reality for businesses worldwide. One of the most insidious and effective methods used by hackers is known as social engineering.
The Hacker’s Intricate Plan
The attackers behind the cyber attack on MGM and Caesar’s Casino left no stone unturned in their quest to compromise these giants. They meticulously gathered information about the casinos’ employees from various sources, including LinkedIn and Facebook, creating a comprehensive employee map and organizational structure. Armed with this data, they executed their plan to infiltrate the casinos’ systems.
Before launching their assault, the hackers engaged in meticulous research, scouring platforms like LinkedIn and Facebook for information about casino employees. Their comprehensive knowledge encompassed managers, IT personnel, and others across the organization. With this data in hand, they began to craft an intricate plan.
Building the Foundation for an Attack
The attackers meticulously constructed an ecosystem, mapping out the casino’s internal structure and employee hierarchy. Armed with this information, they embarked on a mission to exploit the weakest link in the security chain: human trust.
A Social Engineering Masterstroke
The attackers assumed the identities of non-IT personnel and initiated contact with the IT help desk. Through cunning deception, they convinced the help desk to provide crucial information, reset passwords, and grant access to sensitive systems.
The Unseen Consequences
The repercussions of this cyber attack have been profound. Caesar’s Casino opted to pay a staggering $15 million ransom, while MGM’s decision not to pay came with its own costs. Daily revenue losses of 10% to 20% translated to a staggering $8.4 million per day. Additionally, MGM suffered a significant hit to its market capitalization, losing a staggering $2 billion. Both organizations also saw a massive loss of customer data, including personal information, addresses, Social Security numbers, and credit card details, for members of their loyalty programs. The true extent of these losses is yet to be fully quantified.
Scrutiny and Accountability
In the wake of this cyber attack, insurance companies that work with such organizations are reevaluating their policies, while federal agencies and gaming commissions are demanding answers from the board members. The focus has shifted from IT departments to scrutinizing the skills and diligence of board members regarding cybersecurity.
The Art of Social Engineering
The attack on MGM and Caesar’s Casino underscores the age-old technique of social engineering. This method exploits human psychology and relies on trust, fear, and urgency to manipulate individuals into compromising security. Social engineering encompasses various tactics, including phishing, spear phishing, vishing (voice phishing), and smishing (SMS phishing). These techniques have evolved over time, adapting to modern communication channels. In 2023, a new and unsettling development has emerged: social engineering attacks are now carried out with the assistance of artificial intelligence. Deepfake technology allows attackers to convincingly impersonate individuals by using their voices, often with native English speakers participating in these schemes.
Attribution and Investigation
While the FBI and forensic groups have started investigating the MGM and Caesar’s casino cyber attack, it’s believed that the hackers responsible, though possibly based in Russia, were native English speakers as young as 19. This challenges the notion that cyber attackers are always non-native English speakers with poor grammar, as they once were.
Recognizing Social Engineering Tactics
Understanding social engineering is vital for individuals and organizations alike. Recognizing the psychological tricks employed by attackers is the first step in defending against these insidious threats. Social engineering leverages human tendencies, such as the willingness to help, trust, or act out of fear or urgency. Attackers manipulate these instincts to gain access to sensitive information and assets.
The FBI’s Internet Crime Complaint Center has identified social engineering as one of the most effective attack methods. It is not limited to large corporations; small businesses and individuals are also vulnerable.
Safeguarding Against Social Engineering
So, what can organizations and individuals do to protect themselves against social engineering attacks? The solution lies in a combination of policies, training, and vigilance.
Step 1: Acknowledging the Threat
The first crucial step is recognizing that social engineering is a genuine and significant threat. In the age of AI-driven deepfakes, the need for awareness has never been more critical.
Step 2: Training and Education
Regularly educate and train your team on social engineering tactics. Involving all members, from legal and accounting to IT departments, is essential. Create clear policies on asset access and authorization.
Step 3: Testing and Review
Implement automated cybersecurity training and testing, regularly reviewed by management. Identify weak points within your team and provide additional training as necessary.
Stay Vigilant
Social engineering attacks are on the rise, affecting organizations and individuals alike. By acknowledging the threat, educating your team, and implementing robust policies, you can better protect your assets and information in an ever-evolving digital landscape. Remember, in the battle against social engineering, knowledge and awareness are your best defenses.
Visit our website, www.turnkeysol.com/resources/, for more educational resources, webinars, and white papers on cybersecurity and technology topics. Don’t forget to subscribe to our newsletter at turnkeysol.com/tks-newsletter/ for useful tips, tricks, and industry insights.
I know most people need help with this. We look forward to being of service to you and answering any questions.
If there’s anything we can do to help please let us know. Do you have a topic that you would like us to cover? Shoot us an email and let us know: stephanier@turnkeysol.com
Reach out to us ask@tks.la or call 225-751-4444 or visit our website at www.turnkeysol.com.
Need more help? We’ve got you!
Check out our past Tech Talks:
Winning @ MFA using Microsoft Authenticator
