NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked

The warning comes in the wake of high-profile ransomware attacks against Marks & Spencer and Co-op which are estimated to have cost the companies millions of pounds already due to disruption to services and lost sales.

The NCSC says that it has "insights into the three attacks" but that it was "not yet in a position to say if these attacks are linked" or part of a concerted campaign.

However, in the advisory it published on its website, the NCSC appears to have given credence to the theory that the attackers gained access to corporate victims' internal systems by exploiting employees' legitimate accounts.

And how does it appear that the hackers gain access to workers' accounts? The answer is by using social engineering techniques to trick IT helpdesk staff into resetting passwords and multi-factor authentication (MFA).

The trick works like this:

A hacker "phishes" for login credentials by making a fraudulent phone call to a company's helpdesk, posing as an employee who cannot log into their account.

Often times the attacker makes their approach more convincing by gathering information in advance from social media about the individual they are impersonating.

Just such a trick was used against the MGM Resorts casinos in Las Vegas in 2023, which left guests unable to enter their rooms, ATM machines offline, and phone lines taken down.

MGM Resorts, which refused to pay a ransom to its extortionists, claimed that the attack cost its businesses over US $100 million.

Last year British police made an arrest related to the attack of a teenager said to be a member of the "Scattered Spider" hacking group.

The same group is reportedly also behind the attacks on Co-op and Marks & Spencer.

The advice published this week by the NCSC is sensible for all businesses to follow - not just major British retailers. It includes giving special attention to the security of high-level accounts and advising that all businesses review the processes their helpdesks have in place for handling password resets.

Be sure to learn more from Exponential-e about how to improve the cybersecurity training of your staff, and remediate against ransomware attacks.