Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre

The National Cyber Security Centre (NCSC) has warned that criminals launching cyber attacks astatine British retailers are impersonating IT assistance desks to interruption into organisations.

Hackers person targeted Marks & Spencer, Co-op and Harrods successful the past 2 weeks, and on Friday the anonymous radical told the BBC determination volition beryllium much attacks soon.

Now the NCSC, the authorities bureau liable for cyber security, has issued guidance to organisations urging them to reappraisal their IT assistance table "password reset processes" to trim their chances of getting hacked.

"We judge by pursuing champion practice, each companies and organisations tin minimise the chances of falling unfortunate to actors similar this," it said.

It said firms should reassess however their IT assistance table "authenticates unit members" earlier resetting passwords, particularly elder employees with entree to high-level parts of an IT network.

It highlighted property speculation astir "social engineering" arsenic a mode hackers whitethorn person gained entree to accounts.

Criminals usage societal engineering techniques to get radical to spot them erstwhile they email, substance oregon telephone pretending to beryllium from a company's IT assistance table - yet tricking employees into handing implicit their log successful passwords and information codes.

This besides works the different mode - calling radical who enactment connected the assistance table and pretending to beryllium an worker locked retired of their account.

Cyber information experts present urge further layers of information to woody with these sorts of attacks.

"Having codification words that get utilized erstwhile an worker phones up to alteration their credentials, specified arsenic "BluePenguin", is 1 happening being discussed successful the cyber assemblage arsenic a mode to cheque that the subordinate of unit is genuine," said Lisa Forte from cyber information steadfast Red Goat.

"Ultimately it comes backmost to the aforesaid contented with login credentials arsenic ever – we request aggregate ways to bash it to guarantee it isn't casual to bypass."

The NCSC proposal is the strongest hint yet the hackers are utilizing tactics astir commonly associated with a corporate of English-speaking cyber criminals nicknamed Scattered Spider.

The sanction derives from "spider" being the statement fixed to financially motivated cyber criminals, portion "scattered" is due to the fact that they are not a cohesive, organised gang.

In the past 2 years these disparate hackers, successful their teens oregon aboriginal twenties, person coordinated and planned attacks connected Discord and Telegram to breach dozens of companies and bargain oregon scramble information to extort their victims.

The NCSC does not specifically sanction the radical arsenic being liable for the existent question of attacks, but acknowledges Scattered Spider are known for these types of hacks.

In different NCSC advice, cyber defenders are being urged to ticker retired for "Risky Logins".

This means looking retired for erstwhile and wherever employees person logged successful from - for illustration precocious astatine nighttime oregon from unusual locations.

Although cyber criminals could beryllium anyplace successful the world, young English-speaking hackers successful the UK and US person go adept astatine utilizing societal engineering successful their attacks.

Scattered Spider hackers person been liable for precocious illustration attacks including the coordinated moves against casinos successful Las Vegas successful which MGM Grand Casinos and Caesar's Palace were deed successful speedy succession.

There person been six arrests successful the past twelvemonth of hackers accused of being from Scattered Spider successful the US and UK.

In July 2024 a 17-year-old from Walsall was arrested arsenic portion of an FBI probe into the MGM hack - and months aboriginal a idiosyncratic of the aforesaid property and determination was arrested successful transportation with different hack connected Transport for London.

Police would not accidental if the alleged hacker was the aforesaid person.

On Friday, the hackers liable for the existent question of attacks spoke to the BBC.

The criminals repeatedly denied they are Scattered Spider hackers and would lone telephone themselves DragonForce - the sanction of a cyber transgression work hackers tin usage for malicious bundle and extortion.

The hackers, who were fluent English speakers, revealed to the BBC they had compromised Co-op and stolen a ample magnitude of lawsuit and worker data.

They would not sermon the M&S hacks. But it is thought DragonForce ransomware was utilized to scrambled the firm's IT servers.

While the NCSC said it "had insights", it added it was "not yet successful a presumption to accidental if these attacks are linked".

"We are moving with the victims and instrumentality enforcement colleagues to ascertain that," it said.