The cybercrime group known as Scattered Spider, also tracked as UNC3944, has expanded
its operations to include major insurance companies, according to the Google Threat Intelligence Group (GTIG).
“We’ve now identified multiple incidents in the U.S. that show clear signs of Scattered Spider’s tactics,” said John Hultquist, chief analyst at GTIG, in a statement on Monday.
Hultquist warned that the insurance sector should be particularly vigilant, as the group tends to concentrate on one industry at a time. He emphasized the heightened risk of social engineering attacks aimed at help desks and call centers.
Scattered Spider is a loosely connected group infamous for its sophisticated social engineering strategies. Recently, the group is believed to have aligned with the DragonForce ransomware gang, following reports that DragonForce took over infrastructure previously used by RansomHub.
According to SOS Intelligence, “The group excels at impersonating employees, tricking IT support, and bypassing multi-factor authentication through well-crafted psychological manipulation.” The attackers are often thought to be native English speakers with connections to Western regions, which makes their phishing campaigns and phone scams more convincing and effective.
Earlier this month, cybersecurity firm ReliaQuest disclosed that Scattered Spider and DragonForce have intensified their focus on managed service providers (MSPs) and IT contractors. By breaching one provider, they can gain access to multiple downstream clients. Mandiant, another Google-owned security company, added that large enterprises are especially targeted, as they present opportunities for more significant financial gain.
Organizations with sizable help desks or outsourced IT support appear to be especially vulnerable to these types of attacks.
To defend against these threats, experts recommend strengthening authentication methods, tightening identity controls, limiting user privileges to reduce lateral movement, and ensuring help desk staff are trained to verify employees before resetting credentials.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
