Suspected Scattered Spider domains target everyone from manufacturers to Chipotle
(2025/07/08)
- Reference: 1751956089
- News link: https://www.theregister.co.uk/2025/07/08/suspected_scattered_spider_domains_target/
- Source link:
While the aviation industry has borne the brunt of Scattered Spider's latest round of social engineering attacks, the criminals aim to catch manufacturing and medical tech companies — and even Chipotle Mexican Grill — in tjeor web, as evidenced by hundreds of domains that security researchers say look a lot like phishing websites used by the criminal crews.
Check Point researchers recently uncovered 500 such domains that follow Scattered Spider's naming conventions to spoof legitimate corporate login portals, such as "victimname-servicedesk[.]com," or an identity and authentication service used by the organization, like "victimname-okta[.]com.
These registered domains indicate "potential phishing infrastructure either in use or prepared for future attacks," according to the threat hunters' Monday [1]report .
[2]
The websites look like real login pages used by most enterprises, and they are designed to trick employees into entering their login credentials. The loosely knit gang of criminals specializes in social engineering, and has been known to make [3]fake calls to IT helpdesks posing as employees; these attacks could conceivably work in the opposite direction, with a fake helpdesk call pointing an employee to the fake domain.
[4]
[5]
While some of the domains appear to mimic retail and aviation organizations, which have recently been hit hard by the loosely knit gang of criminals who specialize in social engineering, "others impersonate companies across a much broader set of industries, including manufacturing, medical technology, financial services, and enterprise platforms," according toCheck Point.
Some of the domains spotted by the researchers include:
chipotle-sso[.]com
gemini-servicedesk[.]com
Hubspot-okta[.]com
While Check Point notes that it hasn't confirmed all 500 websites as malicious, their alignment with Scattered Spider's tactics "strongly suggests targeting intent."
None of the three companies (Chipotle, Gemini, and Hubspot) responded to The Register 's inquiries, including whether they had any evidence of their employees being targeted in social engineering campaigns.
[6]
"This cross-sector targeting underscores the group's opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical," Check Point added.
[7]Australian airline Qantas reveals data theft impacting six million customers
[8]Scattered Spider crime spree takes flight as focus turns to aviation sector
[9]Aloha, you've been pwned: Hawaiian Airlines discloses 'cybersecurity event'
[10]Cyber fiends battering UK retailers now turn to US stores
Check Point's investigation follows a recent spate of attacks targeting airlines, which prompted the [11]FBI to issue an alert .
Last week, Australia's [12]Qantas airline disclosed that 6 million of its customers had their personal information stolen in a cyberattack. And in a Monday update, the company [13]said a "potential cyber criminal has made contact" with the airline.
This would presumably be to extort Qantas into paying an fee to avoid having the data leaked online. The airline declined to answer The Register 's specific questions about the contact with the cyber criminal, and if Scattered Spider was responsible for the attack.
"As this is a criminal matter, we have engaged the Australian Federal Police and won't be commenting any further on the detail of the contact," a spokesperson said. "There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor."
[14]
In addition to Qantas, [15]Hawaiian Airlines also reported a "cybersecurity incident" in late June, as did Canada's [16]WestJet.
Prior to shifting its focus to the friendly skies, Scattered Spider hit several insurance companies, including [17]Aflac , and raided several retailers, including [18]Marks & Spencer , [19]Co-op, and Harrods .®
Get our [20]Tech Resources
[1] https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/07/02/qantas_data_theft/
[8] https://www.theregister.com/2025/06/30/scattered_spider_aviation/
[9] https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
[10] https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/
[11] https://www.linkedin.com/posts/fbicyber_alertthe-fbi-has-recently-observed-the-cybercriminal-activity-7344513662025428992--jMe?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAX3rawBPm6RIM1LZlSs7tFoRQis8-XnEUo
[12] https://www.theregister.com/2025/07/02/qantas_data_theft/
[13] https://www.qantas.com/sg/en/support/information-for-customers-on-cyber-incident.html
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
[16] https://www.theregister.com/2025/06/16/westjet_cybersecurity_snafu/
[17] https://www.theregister.com/2025/06/20/aflac_scattered_spider/
[18] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/e
[19] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[20] https://whitepapers.theregister.com/
Check Point researchers recently uncovered 500 such domains that follow Scattered Spider's naming conventions to spoof legitimate corporate login portals, such as "victimname-servicedesk[.]com," or an identity and authentication service used by the organization, like "victimname-okta[.]com.
These registered domains indicate "potential phishing infrastructure either in use or prepared for future attacks," according to the threat hunters' Monday [1]report .
[2]
The websites look like real login pages used by most enterprises, and they are designed to trick employees into entering their login credentials. The loosely knit gang of criminals specializes in social engineering, and has been known to make [3]fake calls to IT helpdesks posing as employees; these attacks could conceivably work in the opposite direction, with a fake helpdesk call pointing an employee to the fake domain.
[4]
[5]
While some of the domains appear to mimic retail and aviation organizations, which have recently been hit hard by the loosely knit gang of criminals who specialize in social engineering, "others impersonate companies across a much broader set of industries, including manufacturing, medical technology, financial services, and enterprise platforms," according toCheck Point.
Some of the domains spotted by the researchers include:
chipotle-sso[.]com
gemini-servicedesk[.]com
Hubspot-okta[.]com
While Check Point notes that it hasn't confirmed all 500 websites as malicious, their alignment with Scattered Spider's tactics "strongly suggests targeting intent."
None of the three companies (Chipotle, Gemini, and Hubspot) responded to The Register 's inquiries, including whether they had any evidence of their employees being targeted in social engineering campaigns.
[6]
"This cross-sector targeting underscores the group's opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical," Check Point added.
[7]Australian airline Qantas reveals data theft impacting six million customers
[8]Scattered Spider crime spree takes flight as focus turns to aviation sector
[9]Aloha, you've been pwned: Hawaiian Airlines discloses 'cybersecurity event'
[10]Cyber fiends battering UK retailers now turn to US stores
Check Point's investigation follows a recent spate of attacks targeting airlines, which prompted the [11]FBI to issue an alert .
Last week, Australia's [12]Qantas airline disclosed that 6 million of its customers had their personal information stolen in a cyberattack. And in a Monday update, the company [13]said a "potential cyber criminal has made contact" with the airline.
This would presumably be to extort Qantas into paying an fee to avoid having the data leaked online. The airline declined to answer The Register 's specific questions about the contact with the cyber criminal, and if Scattered Spider was responsible for the attack.
"As this is a criminal matter, we have engaged the Australian Federal Police and won't be commenting any further on the detail of the contact," a spokesperson said. "There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor."
[14]
In addition to Qantas, [15]Hawaiian Airlines also reported a "cybersecurity incident" in late June, as did Canada's [16]WestJet.
Prior to shifting its focus to the friendly skies, Scattered Spider hit several insurance companies, including [17]Aflac , and raided several retailers, including [18]Marks & Spencer , [19]Co-op, and Harrods .®
Get our [20]Tech Resources
[1] https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/07/02/qantas_data_theft/
[8] https://www.theregister.com/2025/06/30/scattered_spider_aviation/
[9] https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
[10] https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/
[11] https://www.linkedin.com/posts/fbicyber_alertthe-fbi-has-recently-observed-the-cybercriminal-activity-7344513662025428992--jMe?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAX3rawBPm6RIM1LZlSs7tFoRQis8-XnEUo
[12] https://www.theregister.com/2025/07/02/qantas_data_theft/
[13] https://www.qantas.com/sg/en/support/information-for-customers-on-cyber-incident.html
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGzsPT2seRwSqB_QcSOqPQAAAAU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
[16] https://www.theregister.com/2025/06/16/westjet_cybersecurity_snafu/
[17] https://www.theregister.com/2025/06/20/aflac_scattered_spider/
[18] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/e
[19] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[20] https://whitepapers.theregister.com/
You reap what you sow
From listening to some news about this very group this morning.
They are belived to be westerners, native English speaking and very young, possibly teenagers.
If you are a large multinational, billion dollar plus business and are being taken down by a group of skiddies then quite frankly it's your own fuckin' fault.
You have cut your IT staff, cut your skills, outsourced development to the lowest bidder, cut your training, starved IT and Infosec of resources, begrudgingly rolled out poverty spec training to staff, refused downtime for patching etc etc.
If you've done this to the point where you're getting pwned by teenagers you, the board and shareholders, deserve it.
Your staff and your customers don't but they will be the only ones to pay as usual.
I keenly await the usual incident bingo game, "sophisticated attack", "your data is our highest priority", "take security seriously", "no evidence of data theft". BS. You skimmed the money for bonuses and dividends and used $1 locks on the doors.