Ex-NSA Listened to Scattered Spider's Calls: 'They're Good'

Arthur T Knackerbracket has processed the following story:

The call came into the help desk at a large US retailer. An employee had been locked out of their corporate accounts.

But the caller wasn't actually a company employee. He was a Scattered Spider criminal trying to break into the retailer's systems - and he was really good, according to Jon DiMaggio, a former NSA analyst who now works as a chief security strategist at Analyst1.

Scattered Spider is a cyber gang linked to SIM swapping, fake IT calls, and ransomware crews like ALPHV. They've breached big names like MGM and Caesars, and despite arrests, keep evolving. They're tracked by Mandiant as UNC3944, also known as Octo Tempest.

DiMaggio listened in on this call, which was one of the group's recent attempts to infiltrate American retail organizations after hitting multiple UK-based shops. He won't name the company, other than to say it's a "big US retail organization." This attempt did not end with a successful ransomware infection or stolen data.

"But I got to listen to the phone calls, and those guys are good," DiMaggio told The Register. "It sounded legit, and they had information to make them sound like real employees."

Scattered Spider gave the help desk the employee's ID and email address. DiMaggio said he suspected the caller first social-engineered the employee to obtain this data, "but that is an assumption."

"The caller had all of their information: employee ID numbers, when they started working there, where they worked and resided," DiMaggio said. "They were calling from a number that was in the right demographic, they were well-spoken in English, they looked and felt real. They knew a lot about the company, so it's very difficult to flag these things. When these guys do it, they're good at what they do."

Read more of this story at SoylentNews.