-
Casinos for you
What We Can Learn from the MGM and Caesars Entertainment Social Engineering Hacks
By Shane Addinall Sep 14, 2023 TechnologyWe delve into the social engineering hacks that breached the cyber security measures of MGM Resorts and Caesars Entertainment. We learn how these hacks work and what casino players can learn from them to secure their personal accounts.Only days after we reported on several attempts to scam the online crypto casino into buying fake tokens for Stake Casino and Roobet Casino, the gambling sector was shocked to learn that MGM Resorts had fallen foul of a crippling cyber security hack.
The most shocking part of the entire debacle is that it wasn’t a complex cypher or intrusive piece of hacking software that brought down the multi-billion Euros gambling giant; it was a ten-minute phone call.
What is Social Engineering?
As we had mentioned in previous conversations around blockchain and crypto hacks, the weakest point of most systems is not the technology but the people who use it.
The MGM Resort hack is the perfect example of this. We learned that these invasive campaigns are known as 'social engineering' in cyber security circles. The plan is simple: target people with clearance and, through one-on-one communication, gain access to information critical to secure systems.
Cyber security watchdog VX Underground shared the following on Twitter:
Quote“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
While the MGM Resorts management team have yet to comment on the attack, it is common knowledge that several digital and online systems are still offline, including the online casino website, their booking software, and several slot machines on the casino floor.
The only statement has been an update where they noted they are still trying to "resolve" their "cybersecurity issue". Management is believed to be refusing to pay the required ransom to have their systems unlocked to avoid creating a feeding frenzy by copycats.
A Tangled Web Indeed
Since the revelation of the attack on MGM Resorts International, it has come to light that Caesars Entertainment suffered the same infiltration. The group responsible for breaching Caesars has been linked to the MGM scandal, leaving many to believe the ALPHV was working with a team known as Scattered Spider.
VX Underground went to social media posting saying:
Quote“When Scattered Spider compromised MGM, they tried to modify the code for the slot machines to make them spit out money 😂😂 These nerds are going full Ocean's Eleven.”
Not willing to take a hit to their bottom line, it has been reported that Caesars Palace management decided to meet the hacker's demands and paid the dastardly duo more than €26 million in ransomware.
As we see with MGM, this might have been the best course of action, especially since Scattered Spiders is considered one of the most effective hacker groups in the US, meaning a payment-free resolution is highly unlikely.
What Can We Learn from These Hacks?
While most of us don't have millions of Euros that could attract a global hacking group, there are many lessons we can learn when securing our online casino accounts, crypto wallets, and bank accounts.
Here are 5 tips for keeping your information safe:
- Never give out passwords online – no one needs your access but you.
- Super kind and super pushy should raise a red flag - If someone claims to be in a hurry, feeling silly for missing information, or aggressively pushing you to give information without proper authority, they are up to no good.
- Secure your login details – only use highly rated digital password lockers, or better yet, use offline means to secure your account information. Do not save it to your phone or in a Word document on your computer.
- Be wary of emails or text messages asking for information – Messages with 'click here to login' or 'complete your information to secure your…' must be avoided. Contact the company directly to confirm if the message is legit. If you're unsure – we're sure it won't be.
- Context matters – Be aware of information requests that make no sense. Why would Amazon need your social security number? Why would your Windows software require you to log in to your bank account? If it sounds dumb, it's probably a scam.
At the core of social engineering attacks is the realisation that people don't like to feel like they don't know something, that people want to talk, depending on the mark, being a bully or being friendly will yield results.
If you feel locked into an uncomfortable conversation, just kill the call and block the number. Rather be impolite than risk your online security.
You might also like