Phishing attacks were so well-orchestrated that they fooled some of the best in the business.
Credit: Getty Images
Federal prosecutors have charged five men with running an extensive phishing scheme that allegedly allowed them to compromise hundreds of companies nationwide, gain non-public information, and steal millions of dollars in cryptocurrency.
The charges, detailed in court documents unsealed Wednesday, pertain to a crime group security researchers have dubbed Scattered Spider. Members were behind a massive breach on MGM last year that cost the casino and resort company $100 million. MGM preemptively shut down large parts of its internal networks after discovering the breach, causing slot machines and keycards for thousands of hotel rooms to stop working and slowing electronic transfers. Scattered Spider also breached the internal network of authentication provider Twilio, which allowed the group to hack or target hundreds of other companies.
Not your father’s phishing campaign
Key to Scattered Spider’s success were phishing attacks so methodical and well-orchestrated they were hard to detect even when sophisticated defenses were implemented. Microsoft researchers, who track the group under the name Octo Tempest, declared it “one of the most dangerous financial criminal groups.”
In multiple filings, federal prosecutors named the five defendants as:
- Ahmed Hossam Eldin Elbadawy, 23, aka “AD,” of College Station, Texas;
- Noah Michael Urban, 20, aka “Sosa” and “Elijah,” of Palm Coast, Florida;
- Evans Onyeaka Osiebo, 20, of Dallas; and
- Joel Martin Evans, 25, aka “joeleoli,” of Jacksonville, North Carolina.
- Tyler Robert Buchanan, 22, of the UK.
Ars Video
How Scientists Respond to Science Deniers
“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” US Attorney Martin Estrada said. “As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”
Prosecutors allege that the phishing attacks ran from at least September 2021 to April 2023. During that time, the defendants sent text messages to mobile phones of employees of the targeted companies that purported to come from the IT departments of their employers.
The text messages often falsely warned that the employees’ accounts would be deactivated imminently unless they clicked on links to malicious sites that were designed to look like legitimate websites used by victim companies. The phishing sites attempted to lure the employees into providing confidential information, including account login credentials. Some employees took the bait by visiting the sites, entering their credentials, and authenticating their identities with two-factor authentication. Scattered Spider then entered the intercepted passwords and 2FA credentials into the legitimate sites and gained access to the employee accounts.
Once inside targeted companies’ networks, the defendants allegedly stole confidential information, including personal information, such as account credentials, names, email addresses, and telephone numbers. Prosecutors said the defendants also used information stolen from hacked companies and elsewhere to access cryptocurrency accounts or wallets of “numerous individuals” and take millions of dollars’ worth of digital coins.
If convicted, each defendant faces a maximum sentence of 20 years in prison for conspiracy to commit wire fraud, up to five years in federal prison for one count of conspiracy, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan also faces up to 20 years in prison if he is convicted of wire fraud.
