M&S hackers gear up for new attacks, and RaaS provider continues cyber showdown

Hundreds of fake domains associated with Scattered Spider group

The hacking group responsible for recent attacks on M&S, Qantas and others has ramped up its efforts to phish companies across sectors.

Scattered Spider, known for its social engineering and phishing attacks, has broadened its scope to new industries, according to Check Point Research.

The group has been linked to the retail sector attacks on companies including Marks & Spencer earlier this year, and spread its influence to the aviation industry this month with an attack on Australian airline Qantas.

Check Point has now identified phishing domain indicators that follow Scattered Spider’s known naming conventions, pointing to a further expansion of its efforts.

The team found around 500 fake domains that mimic legitimate corporate login portals (victimname-servicedesk[.]com) and authentication services (victimname-okta[.]com). These are designed to trick employees and steal their login credentials, and Check Point says they are “either in use or prepared for future attacks.”

Some portals are dedicated to industries Scattered Spider has already hit, like technology, retail and aviation; but others are in new sectors, including manufacturing, medical technology, financial services and enterprise platforms.

Examples include domains mimicking brands like Hubspot, Gemini and fast-food chain Chipotle.

Although Check Point has not confirmed that all 500 domains it has found are malicious, “their alignment with known TTPs (tactics, techniques, and procedures) strongly suggests targeting intent.”

DragonForce ready to rumble

Scattered Spider used tools from ransomware-as-a-service provider DragonForce in its retail sector attacks in the Spring. That group is now in a head-to-head contest against its competitor, RansomHub.

The two groups have been at loggerheads since April, when DragonForce – a group of largely Russian-speaking criminals – took over RansomHub’s website. The latter responded by attacking and defacing DragonForce’s own site.

But this internecine warfare is not good news for legitimate firms. Cyber experts warn that the fallout could see some victims hit twice or facing double extortion demands.

Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group, said, "Instability within the extortion ecosystem can have serious implications for ransomware and data theft extortion victims."

Rafe Pilling, director of threat intelligence at Sophos, also warned that conflict between RansomHub and DragonForce could spill over to affect victims.

"Cybercriminals are a ruthless bunch, and a betrayal between partners can result in a situation where the victim gets extorted twice," he said.