Social Engineering Attacks: How MGM and Others Are Infiltrated

Published 05-30-24

Human beings are inherently social creatures, which can be both a blessing and a curse, especially in the world of cybersecurity and identity crime. Understanding the intricacies of social engineering attacks is paramount in comprehending their threat to businesses. These attacks exploit human vulnerabilities by tailoring strategies to target specific demographics or personality types, utilizing personal, social, and cultural information. 

Through an exploration of a prominent case involving MGM Resorts and discussions on defense strategies, we can begin to see the critical need for innovative solutions like Photolok in safeguarding against such threats.

What is a social engineering attack in cybersecurity?

In the context of security, social engineering describes a method of tailoring an attack to target a specific demographic or personality type using information gathered about their personal, social, and cultural habits and expectations. According to Carnegie Mellon University, social engineering attacks rely on “manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information.” This is considered a form of psychological manipulation and usually occurs in a four-step cycle:

1. Investigation. The attacker identifies their target and learns as much about their background and personality as possible. 
2. Organization. The attacker uses the information they’ve gathered to create a plausible and personally engaging “hook” that draws the target in. 
3. Enaction. The attacker deploys their “hook” and gathers sensitive data and/or finances from the target without their knowledge. 
4. Exit. The attacker erases all traces of their presence and disappears before the target realizes they’ve been scammed. 

Social engineering attacks rely heavily on our personal expectations and a sense of urgency. For example, suppose you receive an email that is ostensibly from your bank. In that case, you’re less likely to check its validity if they’re threatening to close your account and take legal action if you don’t confirm your identity with them or if they tell you that your information’s been compromised and this is the only way to save yourself thousands of dollars in losses.

The most common form of social engineering attack is phishing, when an attacker duplicates or “spoofs” an official form or website and directs targets to it with a duplicated or “spoofed” message “alerting” them to a problem with or update to their account. The spoofed site looks just like the login screen for the actual business or organization but will always result in an error after the information is submitted rather than allowing access to the appropriate site. It will also send that information directly to the attacker, who can then use it to access the legitimate site.

What happened during the MGM attack?

In September of 2023, the Las Vegas giant MGM Resorts faced a major cyberattack that brought down large portions of their casinos and put all of the guests and staff of the resort’s multiple locations in danger. UK news outlet The Daily Mail said of the attack that “the main website for MGM Resorts remained down on Wednesday [September 13] morning, following a ‘cybersecurity incident’ the company says impacted reservations and casino floors in Nevada and seven other states.” 

Potentially the most embarrassing part of the breach is that the attack reportedly occurred via a 10-minute phone conversation using one employee’s stolen information gathered using social engineering techniques. According to some reports, a member of the attacking group looked up the employee on LinkedIn and called the company’s Help Desk posing as them to gain control of the account. Once they were inside the system, they were free to instigate a massive ransomware attack. 

This massive attack lasted 10 days and cost the company an estimated $100 million in lost revenue, which doesn’t even account for the cost of rebuilding its cybersecurity infrastructure. The breach affected around 10.6 million people, whose information from names and payment methods to addresses and account numbers was leaked.

How can businesses protect themselves from social engineering attacks?

The biggest challenge to assess when it comes to social engineering attacks is the human element; it’s difficult to circumvent an attack if you’re not sure it’s happening. In the case of vishing (phishing attempts conducted via phone call or voicemail), unless a service representative is familiar with the voices of all employees, it would be nearly impossible to prevent impersonations from a recognition standpoint alone. 

Because of this, it’s best to incorporate layers of protection in all methods of access; service representatives should use multiple pieces of information such as a password, pin, or other verification method to confirm identities. It would also be best to include multi-factor authentication (MFA) in most if not all access points for information, making it more difficult for attackers to access all of the information they need.

Photolok is a service that offers a novel approach to thwart phishing attempts. Unlike conventional MFA methods reliant on security questions or email verification, Photolok uses a photo-based authentication system; users designate specific photo images as “keys” to their accounts. When attempting to access the service, users are prompted to select their “photo” from a grid. Access is granted only upon choosing the correct photo.

The strength of Photolok lies in the fact that it does not rely on easily compromised numerical codes, security question responses, or passwords vulnerable to phishing attempts. By utilizing unique photos, Photolok drastically raises the bar for attackers attempting to guess or phish access credentials, particularly given the absence of direct access to Photolok’s internal bank of photo options.

Photolok also integrates advanced features engineered to combat AI and machine learning-driven attacks, which gives the system stronger adaptability to evolving threats than traditional MFA. Additional options in the system, such as labeling photos for one-time use and activating alerts for administrators in the event of forced entry via “Duress” photo selection, further fortify security measures, particularly in public and remote work environments.

You can learn more about Photolok and how it can protect your company from social engineering attacks by contacting the sales team.