Axe:ploitAxe:ploit
Scattered Spider's Next Move: Insurance Under the Social‑Engineering Spotlight

Scattered Spider's Next Move: Insurance Under the Social‑Engineering Spotlight

Jason

Jason

@Jason

Scattered Spider's Next Move: Insurance Under the Social‑Engineering Spotlight

Scattered Spider—aka UNC3944, Star Fraud, Muddled Libra—is expanding its playbook. After punishing UK and US retailers like Marks & Spencer, Harrods, and Victoria's Secret with ransomware and data theft, it has now directed its identity‑based tactics at the insurance sector.

Changing Targets: Retail ➝ Insurance

Known for sector-focused blitzes, Scattered Spider last hit UK retailers in April‑May with DragonForce ransomware, causing ~£300 M in damage at M&S alone. Now in June, it's shifted to insurance firms—including Aflac, Erie, and Philadelphia—using identical playbooks: help‑desk call impersonation, phishing, MFA bypass, and self‑service resets.

Attack Flow: The Social‑Engineering Chain

  1. Recon: Gathering employee info from LinkedIn, press, and public filings.
  2. Pretexting: Posing as internal IT, HR, or vendor contacts.
  3. Execution: Using vishing or phishing to request MFA resets or password assistance.
  4. Breach: Gaining privileged access, often without malware.
  5. Impact: Disruption (Erie, Philadelphia outages) and data theft (Aflac SSNs, health info).
flowchart TD A[Reconnaissance] --> B[Employee Info Gathering] B --> C[LinkedIn, Press, Filings] C --> D[Pretexting Setup] D --> E[Pose as IT/HR/Vendor] E --> F[Execution Phase] F --> G[Vishing/Phishing] G --> H[MFA Reset Request] H --> I{Target Complies?} I -->|Yes| J[Privileged Access] I -->|No| K[Try Different Approach] K --> G J --> L[Data Exfiltration] J --> M[System Disruption] L --> N[Impact: Data Theft] M --> O[Impact: Service Outage] subgraph "Attack Phases" A D F J end style N stroke:#ff0000 style O stroke:#ff0000

As Google GTIG explained:

"Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry. They have a habit of working their way through a sector."

Why Insurance?

Insurers hold troves of personal, financial, and health data—prime targets for extortion, resale, or pivot into deeper attacks. Their extensive call centers and third-party vendors create a broad attack surface ripe for human-focused exploitation.

Key Defenses for Insurance Providers

  • Harden identity controls: Enforce phishing-resistant MFA (hardware/app tokens), number‑matching, and conditional access rules.
  • Lock down help‑desk flows: Implement scripted, verifiable procedures for password or MFA resets.
  • Monitor unusual resets: Audit self-service calls, trigger alerts on anomalous MFA enrollments.
  • Employee training: Teach staff to challenge unsolicited IT requests, especially around token resets.
  • Prepare IR and containment plans: Be ready with IR playbooks, legal counsel, and continuity strategies before breach strikes.

Comparison with Retail Phase

Phase Entry Method Tools Impact
Retail Help‑desk impersonation DragonForce, data encryption £300 M+ at M&S, multiple outages ([hackthebox.com][1])
Insurance Social‑engineering, vishing MFA resets, data access Aflac SSN leak, Erie/Philadelphia outages

Despite evolving sectors, the core TTPs remain rooted in identity-centric manipulation—just with different end goals and payloads.

Final Thoughts

Scattered Spider's shift to the insurance industry is a strategic progression—not a new tactic. The sector must treat social engineers with the same rigour as software exploits. Strengthen identity defenses, keep humans alert, and prepare incident response before that phone rings.

Stay proactive—it's the only way to disrupt the chain before they hit your claim system.

Integrate Axe:ploit into your workflow today!