Recent analysis from Check Point Research has shed new light on the cybercriminal group known as Scattered Spider, revealing a significant escalation in both the scale and sophistication of their operations. The group’s latest campaigns pose a mounting threat to enterprises, with the aviation sector emerging as a primary target.
Expanding Attack Infrastructure
Check Point’s investigation uncovered over 500 phishing domains attributed to Scattered Spider. These domains are meticulously crafted to impersonate legitimate enterprise login portals, frequently adopting naming conventions such as victimname-sso.com, victimname-servicedesk.com, and victimname-okta.com. This extensive infrastructure demonstrates a strategic, long-term approach to credential theft, moving beyond isolated incidents to coordinated campaigns.
| Example Domain | Description/Pattern |
|---|---|
| chipotle-sso[.]com | Mimics Chipotle’s single sign-on portal |
| hubspot-okta[.]com | Imitates HubSpot’s Okta login page |
| gemini-servicedesk[.]com | Fakes Gemini’s IT service desk |
| klv1.it[.]com | Uses a public subdomain registration service |
| corp-asurion[.]com | Mimics Asurion’s corporate portal |
| activecampiagn[.]net | Typo-squatted version of “activecampaign.net” |
| acwa-apple[.]com | Blends ACWA and Apple branding |
| birdsso[.]com | Generic SSO-themed phishing domain |
| okta-ziffdavis[.]com | Targets Ziff Davis Okta users |
| pfchangs-support[.]com | Mimics P.F. Chang’s support portal |
| x-sso[.]com | Generic SSO-themed phishing domain |
| okta-mgmresorts[.]com | Targets MGM Resorts Okta users |
| zoom-servicedesk[.]com | Fakes Zoom’s IT service desk |
| apple-sso[.]com | Mimics Apple’s single sign-on portal |
| okta-coinbase[.]com | Targets Coinbase Okta users |
| microsoftsso[.]com | Generic Microsoft SSO-themed phishing domain |
| airbnb-okta[.]com | Imitates Airbnb’s Okta login page |
| okta-americanexpress[.]com | Targets American Express Okta users |
| helpdesk-cisco[.]com | Mimics Cisco’s helpdesk portal |
| internal-uber[.]com | Targets Uber’s internal login portal |
| vpn-robinhood[.]com | Fakes Robinhood’s VPN portal |
| servicedesk-microsoft[.]com | Fakes Microsoft’s IT service desk |
| okta-servicenow[.]com | Targets ServiceNow Okta users |
| corp-delta[.]com | Mimics Delta’s corporate portal |
Evolving Tactics and Techniques
Check Point says Scattered Spider’s methods include:
- Sophisticated Social Engineering: The group employs vishing (voice phishing), multi-factor authentication (MFA) fatigue attacks, and impersonation of IT support staff to deceive employees and gain access to sensitive systems.
- Phishing Campaigns: Highly convincing fake login pages are used to harvest credentials from unsuspecting victims.
- Abuse of Legitimate Tools: Attackers leverage remote access tools such as TeamViewer, ScreenConnect, and Tailscale to maintain persistence and move laterally within compromised networks.
- Malware Deployment: Credential-stealing malware like Raccoon and Vidar, as well as remote access trojans such as WarZone RAT, are frequently utilized.
- Collaboration with Ransomware Operators: Scattered Spider has established partnerships with ransomware groups, including BlackCat/ALPHV, to maximize the impact and profitability of their attacks.
Aviation Industry in the Crosshairs
While Scattered Spider has previously targeted sectors such as telecommunications, finance, and retail, Check Point’s latest findings highlight a strategic pivot towards the aviation industry. Recent attacks have affected major airlines including Qantas, Hawaiian Airlines, and WestJet, resulting in the compromise of millions of customer records and significant operational disruptions.
The aviation sector’s reliance on third-party vendors and external IT contractors has made it especially vulnerable. Attackers exploit gaps in identity verification and vendor security to infiltrate airline systems, drawn by the vast troves of sensitive customer data these organizations maintain.
Key Indicators of Compromise
Check Point Research has identified several indicators that organizations should monitor to detect potential Scattered Spider activity:
- Registration of domains mimicking enterprise and airline login portals
- Increased phishing and vishing attempts targeting help desks and IT support staff
- Unusual use of cloud-based and remote access tools within enterprise networks
Recommendations for Defense
To mitigate the risks posed by Scattered Spider, Check Point recommends a multi-layered security approach:
- Domain Monitoring: Continuously monitor for suspicious domain registrations that resemble your organization’s IT infrastructure.
- Adaptive MFA Solutions: Deploy multi-factor authentication systems that can detect anomalous behavior, rather than relying solely on standard push notifications.
- Employee Awareness Training: Educate staff to recognize social engineering tactics, including vishing and MFA fatigue.
- Vendor Security Assessments: Regularly audit third-party vendors for robust identity verification processes and incident response capabilities.
- Incident Response Planning: Develop and maintain sector-specific response plans to address breaches involving sensitive customer data.
