Voice-Based Cyberattacks, why are they so effective?

More on the MGM / Caesars Cyberattacks

MGM Resorts and Caesars Entertainment are latest victims of Voice-Based Cyberattacks…why are sophisticated, security savvy organizations losing the cyber battle?

Vishing is a rapidly growing Voice-Based Attack

Voice phishing (vishing) is now among the fastest-growing threat vectors for enterprise cybercrime. The tactic is perpetrated by highly skilled criminal impostors who, armed with harvested personal data and social-engineering techniques, manage to extract network or account-compromising information from a vulnerable human target through a phone call. Twitter, Cisco, Twilio, Robinhood – all have fallen victim to vishing attacks. And now, we add MGM Resorts and Caesars Entertainment to the list.

As we delve into understanding why Vishing and other Voice-Based Attacks have been favorite weapons used by cybercriminals, a surprising theme has emerged:

Voice-based attacks are being used successfully to breach the most highly sophisticated organizations with extensive cyber protections.

Let’s consider some of the reasons why well-protected organizations fall victim to voice-based attacks:

1) Organizations are Reticent to Admit that They are the Victim of a Cyber Event

The problem with being hacked is it’s embarrassing. It’s an admission that you’ve been duped. Big, brand-conscious companies do not like the way that looks. What’s more, their customers don’t like it.

Because most hacks inevitably compromise customer data. It’s not a stretch to assume the actual number of reported breaches far exceeds what is public knowledge as victimized organizations often try to discreetly manage the fallout without a public outing. Of course, if you are MGM Resorts with thousands of visitors suddenly locked out of their hotel rooms, casinos, and ATMs due to a network-crippling cyberattack, it’s pretty hard to keep things on the down low. And once news of their troubles emerged, fellow casino and entertainment giant, Caesars Entertainment, quietly had to admit that they, too, had fallen victim to a vishing-perpetrated ransomware attack likely linked to the same criminal gang known as Scattered Spider.

Because Caesars reportedly paid the extortionists at least half of their $30 million ransom demand, the company did not experience the full disruption or widespread public exposure dealt to MGM. That was Caesars’ choice, but it might have helped if fellow hospitality and gaming enterprises were alerted that there was likely an emerging pattern of attacks on their industry.

This past summer, the Securities and Exchange Commission (SEC) stepped in with new regulations requiring companies to report data breaches and hacks within four business days after the breach has been discovered. But this only applies to publicly held companies. There is no such mandate requiring disclosure from private operations like healthcare, higher education, government agencies or privately owned businesses. And, frankly, does such a regulation even matter to the amorphous hit-and-run cybercriminal who already has the goods? Not likely.

2) Organizations have “managed” Cyber Risk via Cyber Insurance

The availably of cybersecurity insurance may provide some sense of protection against financial losses due to a cyberattack. MGM, in fact, was covered by a $200 million policy which will likely come in handy now. The cost for a cybersecurity policy, especially for smaller companies, is minimal, averaging $145 a month for $1 million in coverage. However, according to a 2023 study by IBM and the Ponemon Institute, data breaches, on average, now cost organizations $3.86 million, which means higher insurance rates and stricter underwriting requirements are sure to follow.

But here’s the real rub. It appears companies that carry cybersecurity insurance are more targeted by ransomware hackers compared with those that do not. In other words, in the process of protecting themselves, companies may be making themselves more attractive (i.e., good for a quick payout) to hackers. It’s almost like taking out an insurance policy and making the likes of the Scattered Spider cybercrime gang your beneficiary.

3) Voice as a Threat Vector is Not Taken Seriously

When reading after-the-fact reports from companies that have been hacked, you are likely to see them downplay the full impact. Three weeks after their vishing attack, for instance, MGM’s Q&A web page for Rewards members bears the headline, “Our hotels and casinos are operating normally,” followed by the caveat, “We appreciate your patience as we work to restore certain website and mobile app functionalities, including accessibility to your MGM Rewards account, mobile check-in and check-out, and digital keys. Please note that certain promotional offers may be unavailable. MGM Rewards members’ accounts will be adjusted to reflect Tier Credits and MGM Rewards points at a later date.”

Scroll down to the very last question, “Was my data exposed?” The site responds:

Our investigation is ongoing, and we are working diligently to evaluate the scope and nature of the issue. At this time, we do not have additional information available to share.”

Feeling better now?

Caesars Entertainment went even further to diminish the impact. While admitting that hackers likely gained access to the company’s loyalty program database, which includes driver license and Social Security numbers for a “significant number of members,”  they also claim in their SEC filing that they have taken steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” That’s right – lawless, malicious cybercriminal gangs who hacked their systems, stole their data and held it ransom for a cool $30 million will, of course, delete that data (worth thousands of dollars on the Dark Web) once they get their payment. Call me incredulous.

Apparently, their customers aren’t buying it, either, as both Caesars and MGM are now being hit with five (at last count) class-action lawsuits recently filed in the state of Nevada. While the language varies, these suits share the claim that the companies failed to take adequate measures to protect the PII (Personal Identifiable Information) of their customers. All seek monetary damages for the victims — actual, statutory and punitive damages, as well as restitution, while requesting assurances that it won’t happen again.

The amount of damages assumed by the lawsuits is yet to be disclosed, but it is certainly a wake-up call for organizations thinking data hacks are transient occurrences and the fallout can be contained.

4) Too Much Reliance on Security Awareness Training

It obviously makes sense that front-line employees, particularly those in customer support roles, be trained and stay vigilant to caller behaviors associated with potential fraud. But humans, being humans, are apparently easily swayed through the power of voice. MGM and Caesars are just the latest examples of large companies hacked by vishers targeting helpdesk employees. So why does this happen?

Unlike machines, humans, particularly those in customer support roles, have good days and bad days, are subject to stress-induced bad judgement, put up with verbal assault while under a mandate to deliver positive results for their callers. It’s no wonder the turnover rate for overworked, underpaid helpdesk employees is nearly 40%, which begs the question: How effective can employee training be as a security strategy when the average employee turns over their job to an untrained replacement every two and a half years? This is not to say employee training is useless – companies need every tool to fight this growing threat. It’s just employees, even the best trained, are an imperfect firewall.

Stopping Voice-Based Attacks with Powerful Cybersecurity Technology

Vishers simply want access to an employee endpoint. The best defense is blocking their access from the start.

Here’s the pitch, but it’s a good one.

Mutare’s Voice Traffic Filter is a powerful tool that, when added to an organization’s cybersecurity arsenal, assures that a particularly vulnerable area of potential intrusion – the voice network –  is adequately protected. It is a sophisticated solution that applies five specific layers of filtering technologies to detect, blocks, or deflect vishers, social engineering scammers, robocalls, spoof calls, voice spam storms and other unwanted callers, at the network edge.  This enterprise-class solution works with voice networks of all types – cloud, on-prem or hybrid. The solution also works for unified collaboration solutions, UCaaS, contact center solutions, CCaaS, and more.

Once put into action, Voice Traffic Filter assures the integrity of the voice traffic flowing into the organization while providing a reinforced shield of protection for employees, so they do not become the conduit for criminal exploitation.

No doubt, the attempts on MGM Resorts and Caesars Entertainment may have been inevitable as vishers and other threat agents relentlessly probe for weak links and are hammering large organizations in particular as they have the most to lose. Nevertheless, the harder organizations make it for criminal opportunists to enter their networks and reach their employees, the more likely they are to avoid the serious and long-term consequences of a successful breach. It’s time to get serious about voice channel protection – for the sake of the organization, its employees, their stakeholders, and the customers they serve.