Cyberattacks on MGM and Caesars highlight social-engineering risks

The cyberattacks on MGM Resorts International and Caesars Entertainment exposed the widespread effects data breaches can have on an organization — operationally, reputationally, and financially. Although many questions around the specific attack remain, reports say that hackers found enough of an MGM’s employee’s data on LinkedIn to arm themselves with the right knowledge to call the help desk and impersonate the employee, convincing MGM’s IT help desk to obtain that employee’s sign-in credentials.

What is the root cause of this breach? This attack, as well as so many other high-profile breaches over the past few years, happened because of our continued reliance on legacy sign-in credentials like passwords and SMS one-time passcodes that can be easily given away and reused.

Phishing Attacks Aren’t New, but More Successful

Phishing and social engineering attacks to obtain users’ passwords are, of course, nothing new. But now in the age of multifactor authentication (MFA) bypass toolkits and generative AI, these types of attacks have risen in success and popularity with cybercriminals. Attacks can be automated and emails and text messages can appear much more legitimate, which mean more tricked victims. This is what happened with MGM — it takes just a matter of minutes for a hacker to dupe an organization’s help desk into handing over credentials by establishing trust.

In the past, many organizations depended on training to defend against phishing and other social-engineering attacks. These efforts are certainly well-intended, but the fact is that measures like coaching employees to identify poor grammar, misspelled words, and strange spacing as indicators of a phishing email are just not effective in today’s landscape.

The rise of generative AI combined with easily bypassable legacy forms of MFA have created a cybersecurity threat that cannot be trained away. The threat cannot be overcome unless we make the sign-in credentials these cybercriminals so desperately want much harder — if not impossible — to give away.

To read the complete article, visit Dark Reading.