Stopping Scattered Spider-Like Attacks at the Identity Layer: How Airlines Can Thwart Identity-Based Attacks

The name sounds almost playful, yet the damage is painfully real. The hacking collective known as Scattered Spider, the same group that caused MGM Resorts to absorb $100 million in losses in 2023, has recently widened its scope from retailers, insurance companies, and casinos to airlines. On June 28^th, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint bulletin warning that the group is “actively probing airline service desks and contractor networks,” urging carriers to tighten identity checks before allowing password resets or new device enrollments. 

Security teams suddenly needed countermeasures.  

Why the customer service desk is their favorite door

Scattered Spider does not begin with malware. It begins with a phone call. During the September 2023 breach at MGM Resorts, attackers located an employee profile on LinkedIn, called the company’s service desk, and persuaded the agent to reset that user’s credentials. Minutes later they added a new phone as a multi-factor authentication (MFA) factor, logged in, and pivoted across the network, eventually disrupting hotel reservations and gaming systems. 

The same playbook surfaced at Caesars Entertainment several days earlier. Caesars disclosed that a social-engineering attack against an outsourced IT support vendor allowed intruders to grab customer-rewards data. Press reports later confirmed the casino paid roughly $15 million to keep stolen files off public leak sites. 

The pattern is clear: find a support channel under deadline pressure, sound helpful, and request a credential reset that hands the keys to the attacker.  

How Scattered Spider plans and executes breaches 

Security vendors often call Scattered Spider a “loose collective,” and public indictments describe many members as native English speakers in their late teens or twenties. What binds them together is a repeatable method that hops industries: 

1. Open-source intelligence (OSINT) 

Operators sift LinkedIn and Twitter for org charts, phone numbers, and personal quirks. 

Group-IB’s research into the 0ktapus campaign showed the threat actors mapping org charts and mobile numbers from LinkedIn, GitHub, and social feeds, then spoofing single-sign-on (SSO) pages with company branding.  

To charm help–desk staff, they built convincing stories, down to inside jokes pulled from company Slack channels. 

2. Targeting phishing and SMS lures 

In August 2022, the actors blasted Twilio employees with text messages posing as Okta login alerts. Once an employee typed a one-time code into the fake site, the threat actors replayed the code in real time and stole active sessions. Cloudflare, hit the same night, escaped only because it required hardware security keys. 

3. SIM swap or voice vishing to hijack phone numbers 

Threat actors impersonate a corporate user, convince a mobile provider to move a phone number to a new SIM, and intercept MFA codes. That tactic helped them breach multiple insurance companies and steal social security numbers, claim histories, and policy data, according to an HHS social-engineering brief. 

4. Help–desk persuasion and MFA enrollment 

The famous MGM and Caesars twin hits show this method clearly. Caesars admitted that a third-party IT vendor was socially engineered, while MGM’s front-line support was tricked into adding a rogue device to a privileged account. Scattered Spider then locked out administrators, stole six terabytes of data, and attempted a double-extortion ransom. 

While the MGM and Caesars attacks show the most extreme impact, the tactic spans sectors. Insurance companies Aflac, Erie, and Philadelphia Insurance each reported breaches in May 2025 that began with phone-based impersonation of employees or vendors. 

5. Executive hunting for maximum leverage 

Sometimes the group bypasses all middle layers and goes straight for the C-suite. 

ReliaQuest recently documented a campaign dubbed “CFO to Compromise.” Scattered Spider actors gathered flight itineraries and conference schedules for finance chiefs. The attackers then used a mix of public LinkedIn information and phone-based vishing to persuade a regional carrier to reissue a corporate SIM card for its chief financial officer. Within an hour they captured Slack tokens, downloaded contracts, and demanded a “consulting fee” to stay quiet. 

Days later, Dark Reading reported a similar breach, in which Scattered Spider stole more than 1,400 secrets from a cloud password vault after hijacking a CFO account, disabling incident responders as they went. 

6. Exploit internal tools, ransom fast 

CISA’s advisory underscores how quickly they shift from initial access to destructive action. Once inside, the intruders use legitimate admin tools such as PowerShell and vSphere to disable backups, extract phone lists, scrape customer databases, then drop ransomware across Windows and VMware hosts almost simultaneously. Trellix researchers call the blend of patient social engineering and sudden “scorched earth” actions the group’s signature tactic. 

How identity-first security strengthens enterprise defenses 

Perimeter firewalls monitor packets, yet Scattered Spider walks through valid logins. Identity-first controls interrogate the person. A modern defense stack asks, “Is the human behind this request truly our employee?” Without a strong answer, every other safeguard is guesswork.  

In turn, organizations should consider the following five pillars to establish a multi-layered identity-first security posture: 

Pillar 1: Verified possession signals 

Start with what the user is holding. Silent carrier checks confirm that the phone’s SIM remains associated with the same subscriber, barring stealth SIM swaps. Device posture reviews collect model, OS patch level, root status, and IP reputation. A mismatch from the user’s history increases the risk assessment immediately. 

Pillar 2: High-confidence biometrics 

Face, fingerprint, and voice prints link the request to a living person. Unlike one-time passwords, biometrics cannot be texted to an attacker. When a face capture is tied to a previously verified passport chip, the probability of false authentication reduces dramatically. 

Pillar 3: Document authenticity 

Government IDs carry security features, NFC chips, and known patterns. A genuine document read by optical character recognition plus hologram scan withstand Photoshop fakery. Scanned IDs also bring regulatory weight: if you claim to be Jane Doe, you now leave a traceable audit trail. 

Pillar 4: Behavioral and contextual analytics 

Normal employees log in from familiar time zones, at natural velocities, and reset passwords only a few times a year. When a brand-new laptop in another hemisphere tries four resets in twenty minutes, the anomaly engine lights up. 

Pillar 5: Automated step-up paths 

Risk never stays static. A well-designed workflow escalates from silent checks to device possession to biometric proof only when needed, keeping friction low for trusted traffic. The beauty is that every extra step also feeds fresh data back into the risk model, making the next decision even smarter. 

What this means for an enterprise’s security posture 

With all five pillars operating, an attacker must control the victim’s phone, face, passport, laptop, network location, and behavioral fingerprint. That is an expensive heist. Most crooks go elsewhere. 

No single layer is perfect, yet the combination forces attackers to control the victim’s phone, face, passport, and usual device at the same time, an effort that rarely scales. 

Sample workflow to prevent such attacks 

The ID Dataweb platform enables swift implementation beneath any service desk environment. Here’s how such a solution could be configured: 

• MobileMatch to BioGov ID in the US. A carrier lookup ensures the SIM has not recently migrated, and the name on the account matches HR records, blocking most SIM-swap attempts. Document verification verifies the user’s personally identifiable information (PII). This makes it nearly impossible for an attacker to succeed without physical access to the victim’s device. 

• BioGov ID (International). For enhanced security, users can scan passports or driver licenses and provide live selfies for liveness checks and chip readings. This process establishes a direct link between user identity and government-issued IDs, effectively thwarting social engineering attempts. 

Organizations considering similar solutions internally would typically face challenges such as extended development timelines with up to six months efforts required, negotiating new vendor agreements, and assessing heightened security risks. ID Dataweb’s agile deployment capabilities enable organizations to stay ahead of evolving threats, ensuring proactive defense measures outpace potential attackers. 

Lessons every security leader can borrow 

1. Treat the help desk like tier zero. If your reset channel is a soft target, so is everything behind it. Map each reset path—voice, chat, email—and force them through the same policy. No “quick exceptions.” Draft scripts, rehearse them, empower agents to say no. 

2. Combine possession and biometrics. Each factor alone can fail; together they raise the cost beyond most criminals’ means. Require a carrier check or device reputation score to confirm the phone hasn’t just changed hands or appeared on a blocklist. If a factor fails, surface a secondary path that logs additional context rather than silently denying.  

3. Extend the net to partners. Your defenses are only as strong as the weakest badge that opens a side door—contract caterers, outsourced developers, SaaS vendors running scripts on your production environment. If your employees face SIM‑plus‑biometric gates, your partners should as well. 

4. Expect change at a moment’s notice. Threat groups iterate faster than traditional release cycles. Your tooling needs the same agility. Choose platforms with policy‑as‑code or low/no‑code editors. A drag‑and‑drop rule pushed at 2 AM beats a hotfix ticket waiting for sprint planning.