Social Engineeringcritical

MGM Resorts Social Engineering Attack

Attackers spent 10 minutes on LinkedIn and a phone call to impersonate an MGM employee and convince the help desk to reset credentials, triggering a $100 million ransomware attack.

MGM Resorts·2023·2 min read

Attack Chain

  1. 1
    Help desk called posing as employee
  2. 2
    MFA reset approved
  3. 3
    Okta admin panel accessed
  4. 4
    Customer tenant data viewed
  5. 5
    Breach disclosed weeks later

Background

MGM Resorts International operates more than 30 hotels and casinos worldwide with highly integrated digital systems controlling everything from hotel check-in to casino floors and payment systems. In September 2023 it became the victim of a devastating attack that required almost no technical sophistication.

The Attack

The ALPHV/BlackCat ransomware group, working with a group known as Scattered Spider, identified an MGM employee on LinkedIn, called the help desk impersonating that employee, and convinced IT support to reset their MFA credentials. With access to MGM's systems, they deployed ransomware, disrupted casino operations, locked guests out of hotel rooms, and took down MGM's websites and apps.

Response

MGM refused to pay the ransom and spent 10 days manually restoring operations. Casino floors went dark or reverted to cash only. Hotel check-in required pen and paper. MGM worked with the FBI and cybersecurity firms CrowdStrike and CISA to contain and remediate the attack.

Outcome

The attack cost MGM an estimated $100 million in lost revenue and remediation costs. It exposed how help desk social engineering bypasses even sophisticated technical controls. A sister attack hit Caesars Entertainment at the same time — Caesars paid approximately $15 million ransom and avoided most operational disruption.

Key Takeaways

  1. Help desk social engineering is one of the most effective attack vectors today
  2. In-person or out-of-band identity verification before resetting MFA is essential
  3. LinkedIn profiles provide attackers free reconnaissance data
  4. Operational resilience planning must account for full system outages
  5. Paying ransom does not guarantee operational recovery or data deletion

How to Prevent This

All guides
beginner

Require out-of-band identity verification before any MFA reset or privilege escalation

The MGM Resorts breach and the Caesars Entertainment breach both began the same way: a caller to the IT helpdesk provided an employee's name (found on LinkedIn) and convinced the operator to reset MFA credentials over a phone call. With MFA reset, the attacker had full account access. Any request to reset MFA, change recovery methods, or grant elevated privileges must require verification through a separate, independent channel — a video call where the employee displays their physical badge, a manager confirmation via internal ticketing, or a physical visit to the help desk. The single phone call channel is broken by design.

See: MGM ResortsSocial Engineering Defence
social engineeringransomwarehelp deskvishingScattered SpiderALPHVcasino

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering
1995high

Kevin Mitnick: The Art of Social Engineering at Motorola, Nokia, and Fujitsu

2 min readSocial Engineering