MGM and Caesars Attacks Highlight Social Engineering Risks

The cyberattacks on MGM Resorts International and Caesars Entertainment exposed the widespread effects data breaches can have on an organization — operationally, reputationally, and financially. Although many questions around the specific attack remain, reports say that hackers found enough of an MGM's employee's data on LinkedIn to arm themselves with the right knowledge to call the help desk and impersonate the employee, convincing MGM's IT help desk to obtain that employee's sign-in credentials.

What is the root cause of this breach? This attack, as well as so many other high-profile breaches over the past few years, happened because of our continued reliance on legacy sign-in credentials like passwords and SMS one-time passcodes that can be easily given away and reused.

Phishing Attacks Aren't New, but More Successful

Phishing and social engineering attacks to obtain users' passwords are, of course, nothing new. But now in the age of multifactor authentication (MFA) bypass toolkits and generative AI, these types of attacks have risen in success and popularity with cybercriminals. Attacks can be automated and emails and text messages can appear much more legitimate, which mean more tricked victims. This is what happened with MGM — it takes just a matter of minutes for a hacker to dupe an organization's help desk into handing over credentials by establishing trust.

In the past, many organizations depended on training to defend against phishing and other social-engineering attacks. These efforts are certainly well-intended, but the fact is that measures like coaching employees to identify poor grammar, misspelled words, and strange spacing as indicators of a phishing email are just not effective in today's landscape.

The rise of generative AI combined with easily bypassable legacy forms of MFA have created a cybersecurity threat that cannot be trained away. The threat cannot be overcome unless we make the sign-in credentials these cybercriminals so desperately want much harder — if not impossible — to give away.

Authentication Needs More Than Just Passwords

The Cyber Safety Review Board (CSRB) came to a similar conclusion in its recently released report with findings from the Lapsus$ attacks, another string of social engineering attacks that hit large organizations. In its recommendations to protect against similar attacks, the CSRB suggests organizations move to phishing-resistant authentication, namely Fast Identity Online (FIDO) passwordless authentication.

Phishing-resistant authentication uses cryptography techniques that require possession of a device for sign-in or account recovery. This approach ensures that a help desk or other employee (or a family member or friend in consumer settings) cannot give away sign-in credentials even if they fall for a social-engineering attack. Organizations can combine phishing-resistant authentication with more advanced identity verification methods to arm IT departments and help desk employees to truly tell what is a legitimate account lockout and what is an attack.

Considering the high-profile nature of Lapsu$ and these recent ransomware attacks (along with the clear CSRB guidance), any organization that continues to widely rely on passwords and other knowledge-based credentials for user authentication is at best making a questionable choice, and at worst is opening itself up to accusations of corporate negligence.

Organizations must recognize that the cybersecurity landscape has changed dramatically over the past few years and is continuing to rapidly evolve in the age of generative AI. As the MGM breach demonstrates, companies that fail to implement a sound security strategy, starting with eliminating their dependence on passwords and knowledge-based credentials, are taking an unnecessary gamble that they will eventually lose.