September 20, 2023

The Soft Underbelly of Cybersecurity: Phone-based Social Engineering as Utilized in the MGM Attack

The Soft Underbelly of Cybersecurity: Phone-based Social Engineering as Utilized in the MGM Attack

The Overlooked Risk

The recent claims from the attackers who targeted MGM offer a sobering reminder of the vulnerabilities that still persist in our increasingly digitalized world. The attackers claim to have utilized one of the most straightforward yet effective methods to breach a company: phone-based social engineering. While we are waiting for confirmation on the specifics, the approach they claim to have taken is indeed a very effective one. I can personally vouch for this, as it's a technique that has worked for me in penetration tests.

Why Phone Attacks Work

Modern organizations focus heavily on email-based threats, deploying advanced spam filters, multi-factor authentication (MFA), and regular staff training to identify phishing emails. Yet, when it comes to phone-based social engineering, many fall short. The targets are usually the departments that are the first line of interaction with clients or team members: IT, Help Desk, and Customer Support.

The Weak Link: These teams often have targets to meet and are evaluated based on their speed and efficiency in resolving queries. This creates a situation ripe for exploitation, as quick decisions may bypass the necessary security protocols.

Questions to Assess Your Preparedness

1. Identity Verification: Do the employees handling requests from customers or team members follow any identity verification protocols?
2. Knowledge-Based Authentication: Are we still relying on outdated systems like DOB or Caller ID for identity verification?

3. Incentive Structure: Are Help Desk/IT/Support teams promoted or rewarded based on the speed of resolving queries without any penalties for skipping verification?

4. Alternative Methods: How do we verify the identity of the person making the request?

Protecting Your Organization

"Fast work" often equates to "good work" in many organizations, but this mindset leaves no room for security considerations. The responsibility lies with the leadership and management to institute robust identity verification protocols.

- Multi-Factor Authentication:Use OTP through a second verified communication channel as a secure verification method.

- Call Back Mechanisms: Establish protocols to call back the requester for confirmation, thus thwarting number spoofing.

- Service Codes and PINs: Implement unique service codes or personal identification numbers for added layers of security.

Continuous Learning and Adaptation

In our experience with ethical hacking and consulting, the most rewarding part is seeing organizations adapt their verification protocols to catch techniques like these. It may be a frustrating experience to get caught in newer, stronger protocols during subsequent penetration tests, but there's nothing more satisfying than witnessing firsthand the fortification of an organization's cybersecurity posture.


In an age where companies are investing in state-of-the-art cybersecurity technologies, let's not forget that sometimes the easiest way to breach an organization is by simply picking up the phone. Update your phone-based identity verification protocols and train your team to remain vigilant against such attacks.

Remember, every organization is unique, and there's no one-size-fits-all solution. The key is to continuously adapt and improve your defenses.

Other Posts