Cybercriminals launching social engineering attacks on MSPs and IT vendors, utilizing a strategy referred to as Scattered Spider.
Scattered Spider Cyber Threat Group Continues to Target MSPs and IT Vendors
The latest intelligence reveals that the cybercriminal group Scattered Spider is persistently targeting managed service providers (MSPs), IT vendors, and large enterprises with advanced and evolving social engineering techniques.
Social Engineering Techniques Used
Scattered Spider employs a variety of sophisticated methods to gain access to targeted organizations. These include impersonating company employees or IT/helpdesk staff through phone calls, SMS, and Telegram messages. They also use phishing, spearphishing, vishing (voice phishing), and SMS phishing (smishing).
To bypass multifactor authentication (MFA), Scattered Spider uses push bombing, overwhelming users with MFA push requests until one is accepted, and SIM swap attacks to take control of victims' phone numbers. They gather personally identifiable information (PII) on targeted employees using open-source intelligence and business-to-business websites.
Multi-layered social engineering involves repeated calls to help-desk personnel to understand password reset procedures, which are then used to reset passwords and gain access. Scattered Spider also buys or compromises employee credentials from illicit marketplaces or third-party services.
Affected Sectors
Initially, telecommunications and business process outsourcing (BPO) served as springboards for attacks. More recently, the retail, insurance, and aviation sectors have been targeted. Notable attacks have been reported on technology companies like Twilio, MailChimp, and Riot Games, and UK retailers.
Scattered Spider has also targeted cloud services, exploiting VMware ESXi servers and Snowflake data environments to rapidly exfiltrate large volumes of data to platforms such as MEGA.nz and Amazon S3.
Notable Previous Incidents
In 2022, Scattered Spider launched smishing attacks against Twilio, leading to compromised employee accounts and a supply chain attack affecting Signal messaging app users. In 2023, they carried out a phishing and social engineering attack on MailChimp, affecting customers in the cryptocurrency and finance sectors.
In January 2023, Scattered Spider attacked Riot Games, resulting in source code theft. September 2023 saw attacks on Caesars Entertainment and MGM Resorts, leading to the theft of nearly six terabytes of sensitive guest and company data, followed by BlackCat ransomware deployment.
In April 2025, Scattered Spider launched a ransomware attack on UK retailer Marks & Spencer using the DragonForce ransomware-as-a-service (RaaS).
Investigation and Concerns
An investigation by Tata Consultancy suggests a possible expansion of Scattered Spider's targets to include major retail companies like Marks & Spencer. The use of third-party IT vendors as potential gateways for cyber-attacks is a growing concern in the security industry.
According to a report by the Financial Times, Tata Consultancy is investigating whether hackers used the third-party IT vendor as a gateway in the attack against Marks & Spencer.
The report on the Scattered Spider campaign was released on Friday by Reliaquest. The analysis shows that Scattered Spider has been active from Q1 2022 through 2025.
[1]: [Source 1] [2]: [Source 2] [3]: [Source 3] [4]: [Source 4] [5]: [Source 5]
Read also:
- Tesla is reportedly staying away from the solid-state battery trend, as suggested by indications from CATL and Panasonic.
- Review of the 2025 Lamborghini Revuelto: Blazing Beasts on Wheels
- Tech giant Apple debuts sports app integrating betting odds provided by DraftKings
- California links 100,000 home storage batteries through its Virtual Power Plant program.
