One Call. Ten Minutes. $100 Million in Damages.
Imagine investing millions in firewalls, SIEM systems, and zero-trust architectures – only to have an attacker bypass it all with a well-told story over the phone. Sound like a Hollywood plot? For MGM Resorts, it became a bitter reality in September 2023.
The terrifying part: there was no technical exploit involved. No zero-day vulnerability, no stolen credential file, no phishing link. It was just a precision-planned social manipulation – and a helpdesk employee who simply wanted to do the right thing.
What Exactly Happened
The group behind the attack was Scattered Spider (also known as UNC3944). Contrary to many oversimplified reports, they didn't just perform a simple password reset. They took a decisive step further.
They contacted the IT helpdesk claiming their MFA device was lost or broken. The helpdesk employee – dutiful and helpful – subsequently registered a new MFA device in the company's Okta system. This new device was entirely under the attackers' control.
From that moment on, the attacker wasn't an intruder – they were a fully verified user with a valid token. Technical protections were completely bypassed before a single piece of security software could even raise an alarm.
MGM vs. Caesars: The Post-Breach Dilemma
What makes the MGM case particularly instructive is the direct comparison with Caesars Entertainment, which had been targeted using the exact same method just days prior.
Ransom Paid
Decided to pay to maintain operations. Operational damage limited – long-term reputational damage remains difficult to calculate.
Payment Refused
Held firm, refused to pay. 10 days of system downtime, hotel and casino operations crippled, massive reputational hit.
This dilemma shows: the costs of a successful vishing attack almost always exceed the costs of prevention – by a factor of many. It’s not just about data loss; it’s about the complete paralysis of the core business.
How Vishing Truly Works
What happened at MGM was no coincidence or isolated case. It was a textbook example of Vishing (Voice Phishing): a precision-planned operation occurring in three distinct phases. Understanding these phases allows you to recognize the pattern – before the damage is done.
Phase 1 – Reconnaissance: Digital Surveillance
Before the first call is made, the attacker often knows more about the target than the helpdesk employee does. They use OSINT methods (Open Source Intelligence) to create a precise profile:
- LinkedIn & Social Media: Who works in which department? Who is new? Who is currently on vacation or at a conference, making them ideal identities to assume?
- Breach Databases: Old data leaks provide email addresses and password hashes used for account identification in Active Directory.
- Corporate Structure: Who is the direct supervisor? Who is the CISO? Nothing creates more pressure over the phone than dropping internal names and structural details.
- Technology Stack: Which identity system is in use? Job postings often reveal exact product names and version numbers – including known CVEs.
Phase 2 – Pretexting: The Legend
The "pretext" is the role the attacker plays. The more contextually consistent the legend, the lower the vigilance on the other side. Classic scenarios exploit three psychological levers: Time pressure, Authority, and the human instinct to protect.
In the MGM case, the legend was simple and effective: "I am employee X, my MFA device is gone, I need access immediately – management is waiting for me." Three stressors in one sentence.
Phase 3 – The Hook: Access
This is the moment the attacker "closes the deal." They exploit the natural helpfulness of the helpdesk employee and the fear of making a mistake – often through small, seemingly harmless requests that build into a chain of concessions. In behavioral psychology, this is known as Micro-commitments: once someone says yes, they are likely to say it again at the next step.
Why the Brain Fails – Not the Person
Vishing is "Psychological Warfare" on a micro-scale. Professional social engineers don't exploit the weaknesses of individuals – they exploit universal, deep-seated behavioral patterns to which we are all susceptible. This isn't a moral failure. It's neurobiology.
These four mechanisms explain why even experienced, trained employees fail in vishing scenarios. The Amygdala Hijack alone is enough to make one forget half of all security protocols in a stressful moment. Added to this are the Principles of Persuasion by Robert Cialdini – a framework social engineers have used systematically for decades.
An attacker's goal isn't just to deceive someone. The goal is to create a situation where following security rules feels wrong – and breaking them feels right.
How to Protect Your Company – Concrete and Actionable
Technology alone cannot solve this problem. No SIEM in the world can block a call that sounds legitimate. The solution lies in a combination of process hardening, technical control points, and regular training under realistic conditions.
| Attack Vector | Measure | Priority |
|---|---|---|
| MFA Device Reset | Out-of-band verification: Supervisor confirms reset via a second channel | IMMEDIATE |
| Call-ID Spoofing | Call-Back Procedure: Helpdesk hangs up and calls back on officially registered number | IMMEDIATE |
| SE via Time Pressure | Explicit Policy: "Time pressure on the phone = immediate escalation point" | IMMEDIATE |
| OSINT-based Personalization | LinkedIn visibility guidelines, minimal technology disclosure in job ads | 30 DAYS |
| Helpdesk Manipulation | Vishing simulations with real call scenarios – not PowerPoint | 30 DAYS |
| Okta / IAM Manipulation | Secure MFA enrollment itself behind a second MFA barrier | 90 DAYS |
The Four Critical Immediate Measures in Detail
- Strict Identity Proofing at the Helpdesk: Every MFA reset requires confirmation via a second, independent channel. Video verification or supervisor sign-off aren't hurdles – they are the final line of defense.
- The Call-Back Procedure: Never trust the displayed phone number – Call-ID spoofing is trivial. The helpdesk must hang up and call the employee back on the official number stored in the system. No compromises.
- MFA for MFA Reset: The process for re-registering an authentication device must itself be protected by an MFA hurdle – e.g., a one-time code sent to a pre-verified private address.
- Vishing Simulations instead of Slides: Controlled attack simulations train the gut feeling better than any training session. Someone who has received and recognized a real simulated vishing call will react differently next time.
The goal isn't to cultivate distrust. The goal is to institutionalize a moment of pause – a process step that kicks in automatically before action is taken. MGM's helpdesk didn't have that moment.
Conclusion: Cybersecurity Doesn't End at the Screen
The MGM hack is not an argument against technical security measures. It is an argument that technical security is incomplete without human process security. Every zero-trust architecture has a blind spot: the helpdesk employee who wants to do the right thing.
As long as humans remain the final authority in a security process, they will remain the primary target. The question is not whether your team can be manipulated – it’s whether your processes are built so that even a successful manipulation can cause no harm.
Cybersecurity is not a project that finishes with a software installation. It is a culture. And culture is built through training under realistic conditions.
Would your helpdesk recognize this call?
We simulate real vishing attacks against your team – controlled, documented, and with concrete recommendations for action.
Request Social Engineering Audit →