Blog
← Back to Blog
September 15, 2023 cybersecurity

MGM and Caesars Got Hacked by a Phone Call. Social Engineering Still Wins.

MGM and Caesars ransomware via social engineering

MGM Resorts International has been crippled for over a week. Hotel room keys don't work. Slot machines are offline. Reservations are down. Guests can't check in or out electronically. The estimated cost: over $100 million.

Caesars Entertainment was hit by the same group and quietly paid a reported $15 million ransom.

The attack vector for both: a phone call to the IT help desk.

How It Happened

The attackers, a group called Scattered Spider (affiliated with ALPHV/BlackCat ransomware), used a deceptively simple technique:

  1. They identified an employee on LinkedIn
  2. They called the company's IT help desk pretending to be that employee
  3. They convinced the help desk to reset the employee's credentials or provide MFA bypass
  4. Using those credentials, they accessed internal systems
  5. They escalated privileges, moved laterally, and deployed ransomware

No zero-day exploit. No sophisticated malware. A phone call and a convincing story.

Why This Matters for Every Practice

MGM has a security budget larger than the entire revenue of most dental, legal, and financial practices. They have dedicated security teams, enterprise tools, and advanced monitoring. And they were taken down by social engineering targeting their help desk.

Your practice has the same vulnerability. Anyone who answers the phone, processes a password reset, or handles an IT request is a potential target for social engineering.

For Dental and Medical Practices

The front desk staff who resets a password when a provider calls and says "I'm locked out." The office manager who gives a vendor remote access when they call about a "critical update." These are the same attack patterns.

For Law Firms

The paralegal who processes a wire transfer request from someone claiming to be a partner. The IT coordinator who resets DMS credentials based on an email request.

For Financial Practices

The bookkeeper who changes bank routing information based on a client email. The admin who provides system access to someone claiming to be from the software vendor.

Defending Against Social Engineering

  1. Callback verification for all credential resets. Never reset a password based on an inbound call. Call the person back at their known number.
  2. Identity verification protocols. Establish challenge questions or verification codes that must be provided before any access changes.
  3. MFA that can't be socially engineered. Push notifications and authenticator apps are better than phone-based verification. Hardware keys (YubiKey) are best.
  4. Limit help desk authority. Help desk staff shouldn't be able to bypass MFA or grant admin access. Privileged actions should require additional approval.
  5. Train for social engineering specifically. Generic security awareness isn't enough. Train staff on the specific social engineering scenarios relevant to their role.

$100 million in damages from a phone call. Technology can't fix a human trust problem. Only training, procedures, and verification can.