GUEST ESSAY: How the ‘Scattered Spiders’ youthful ring defeated MFA to plunder Vegas

By John Funk

A hacking gang known as Scattered Spiders soundly defeated the cybersecurity defenses of MGM and Caesars casinos.

Related: Russia puts the squeeze on US supply chain

This cost the Las Vegas gambling meccas more than $100 million while damaging their reputations. As the companies face nine federal lawsuits for failing to protect customer data, it’s abundantly clear hackers have checkmated multi-factor authentication (MFA).

Using a technique known as MFA fatigue, Scattered Spiders put MGM in manual mode and forced Caesars to pay a reported $13 million ransom. For the moment, hackers appear to have the upper hand in the global chess match between cybersecurity professionals and digital criminals.

That’s largely because the splashy headlines and online buzz created by bringing down the pair of casinos will only motivate more mid-level cybercriminals to follow Scattered Spiders’ model, putting wide-reaching businesses at risk of ransomware attacks due to the rise of ransomware-as-a-service models.

Scattered spiders

In early September, Scattered Spiders infiltrated MGM and Caesars using a variety of relatively common hacking techniques. But the coup de gras was how easily they brushed aside the multi-factor authentication protections.

The criminals’ ages are said to range between 17 and 25 years old, and their kung fu was nothing to boast about until they pulled off these crimes.

Using routine social engineering strategies, the cyber-thieves gathered information about key employees. Professional networking and social media platforms continue to prove a rich landscape for phone numbers, locations, hobbies, dates of birth, family members, and friendships.


Crafting a comprehensive file on select casino workers, Scattered Spiders showed some bravado by calling their help desks. Fluent in American English, a gang member convinced a help desk worker to provide a one-time password to log into the systems.

Defeating MFA

Their social engineering chops seem to indicate the relatively youthful thieves possessed significant skills. But persuading a poorly trained help desk operator to provide a temporary password isn’t, unfortunately, out of the ordinary. How they steamrolled multi-factor authentication is a reason for pause.

According to reports, Scattered Spiders spent a little crypto on ransomware reportedly engineered by either ALPHV or BlackCat. The rise in ransomware-as-a-service allowed these seemingly garden-variety hackers to elevate their game. But their ability to overcome multi-factor authentication defenses has cybersecurity experts rethinking the once tried-and-true protection.

Scattered Spiders employed a technique known as “MFA Fatigue.” As the name suggests, hackers flood a legitimate user with approval requests after inputting their username and password. Because MFA typically sends a verification code to a secondary device via text message or email, the hackers cannot usually get their digital hands on the information.

But Scattered Spiders deployed malware that sent the casino employees an avalanche of approval requests. These requests typically pressure people to click on an approval tab.

Much like getting into a disagreement with a relative, MFA fatigue works by wearing someone down psychologically. At some point in a lengthy dispute, one party just says “fine” and agrees to end the argument. Employees who receive a barrage of notifications are likely to approve the request to make the electronic message stop. That’s how millions of dollars were lost, lawsuits were filed, and the casinos’ reputations were tarnished.

Dealing with MFA fatigue

To say receiving a one-time password after a 10-minute conversation with a help desk operator demonstrates a lack of cybersecurity awareness training would be something of an understatement. Human error remains a primary failing in upwards of 88 percent of all data breaches.

That statistic also applies to the employees who succumbed to MFA fatigue tactics and eventually clicked on the login approval. However, there are ways cybersecurity firms can help organizations harden their MFA protocols to reduce human error and avoid MFA fatigue, such as the following.

•Reduce the amount of time a temporary password can be used.

•Limit the number of unsuccessful login attempts.

•Onboard biometric and geolocation elements.

Increasing the number of factors and secondary sources used for approvals is also feasible. If legitimate network users needed to access both email and text messages, hackers would be forced to flood both devices. That should trigger the realization something is amiss.

Given that hackers have a relatively new trick to play on businesses, it’s crucial to harden your cybersecurity defenses and educate staff members about MFA fatigue.

About the essayist: John Funk is a Creative Consultant at SevenAtoms. A lifelong writer and storyteller, he has a passion for tech and cybersecurity. When he’s not found enjoying craft beer or playing Dungeons & Dragons, John can be often found spending time with his cats. John can be reached online at or at

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone