A hacker and author of five books on social engineering said a “major flaw” in how MGM Resorts set up their network led to a cyberattack that shut down computer systems on the Strip and nationwide last fall at a cost of $100 million.
Christopher Hadnagy, founder and CEO of Social-Engineer LLC, spoke to a group of casino-surveillance and security executives Wednesday at the World Game Protection Conference in Las Vegas. The gathering buzzed about the cyberattack reported this week at the Casino Del Sol in Tucson, where slots and other computer systems were impacted.
“The reason we saw the casino, ATMs, hotel-room network, wifi, and everything go down is because there was no segregation in the network and that should never be the case,” said Hadnagy of the MGM attack. “MGM owned the whole thing and dug their heels in and (the hackers) said we’re going to hurt you now.”
MGM reportedly declined to pay the $30 million ransom requested by the hackers known as Scattered Spider, while Caesars Entertainment, which had customer data stolen, paid $15 million after negotiating the amount down and avoided the same fate as MGM with the same group, Hadnagy said.
“I’d tell the company to pay the ransom. Instead, they lost $110 million (including consulting and cleanup fees) and their reputation and how much business was down the toilet,” Hadnagy said. “Thirty million dollars versus $110 million seems like a pretty good gamble to me.”
In the majority of cases, companies pay the ransom. Once the thieves get paid, they have to give back the stolen data or they won’t get business again, Hadnagy said.
“If I was consulting MGM, my first question would have been, how are your backups? And if they said they hadn’t done a backup in six months, I would have told them, you’re up the creek,” Hadnagy said. “If they said their last backup was two days ago, I’d say tell Scattered Spider to go take a hike and rebuild your network from the ground up. It will take some time, but it won’t cost $100 million. We’ll fix the hole so they can’t get back in and replace it with good backups. Most of the time, companies that pay the ransom don’t have good backups.”
MGM said it was insured to recoup its losses.
Hadnagy said that while scanning MGM’s network, hackers found a potential vulnerability in a piece of software. They went to the dark web and hired people to write a program to exploit that weakness.
The hackers followed that up with open-source intelligence on a target. They called and convinced IT support and convinced that they were that person. That led to installation of software with attached ransomware.
Hadnagy’s firm is hired by companies to try to hack into their operations to find vulnerabilities. Despite training, some people will click on email phishing attacks and are even vulnerable to various scams, he said.
Hadnagy also weighed in on the cage attacks that occurred last spring and summer around the country, prompting the National Indian Gaming Commission to notify tribal gaming operators and their regulators of imposters pretending to be vendors and state or tribal officials. These thieves succeeded in stealing hundreds of thousands of dollars in cash.
Nevada gaming regulators issued a warning of the multi-million-dollar nationwide casino scam involving social-engineering tactics and possible use of artificial intelligence.
In the case of Circa Hotel & Casino in June, a man claiming to be a Circa co-owner convinced a casino case employee to distribute several payments that totaled $1.17 million to pay for fire-safety equipment. The case led to the arrest of 23-year-old Erik Gutierrez Martinez on theft charges.
World Game Protection CEO and founder Willy Allison said six reported cases involved that scheme and about 1,000 attempts that weren’t successful. “Most of the casinos have the controls in place.” Allison said he remains dumbfounded as to how it could have happened among the six.
Hadnagy said 10 years ago, a lot of exploitation by hacker groups was with software, but today, they’re turning to social engineering. Voice phishing increased more than 500% between 2022 and 2023, he said.
“If I get a call from someone who’s your boss, am I going to say no to my boss?” Hadnagy asked. “I’d think he’ll get mad and fire me. It sounds like him and I say to myself, I’m going to do this. As soon as your brain commits to action, you tell yourself it’s the right thing to do and look for evidence that what you’re doing is right.”
Hadnagy said technology available today makes it easier for scammers and threat actors to use websites to educate one another. AI-generated software can take away foreign accents and make it sound like they speak perfect English.
AI can be used to generate videos and a voice emulating a person, as was done in Hong Kong in which $25 million was wired to the scammers after the employee thought he was seeing his boss on a Zoom call.
People mistakenly believe these are state-sponsored attacks from Russia and China, but governments aren’t going after casinos and other businesses for ransomware, Hadnagy said. These are groups with people from all over the world, including one of the MGM hackers who was arrested in Tampa.
