The infamous cybercrime group known as Scattered Spider is expanding its playbook, and laying the groundwork long before the breach.
New findings from Check Point Research reveal a sprawling infrastructure of more than 500 phishing domains, many designed to impersonate enterprise login pages. It’s a quiet phase of attack planning, but one that holds critical value for defenders if they know what to look for.
Login Pages with Malicious Intent
Scattered Spider’s tactics are not new. Social engineering, MFA fatigue, and vishing have all featured in the group’s recent campaigns, including the July breach of Qantas, which affected six million customers. But Check Point’s latest research offers a sharper view of what happens before attackers strike.
The group has registered hundreds of domains using familiar naming conventions, like victimname-sso.com, victimname-servicedesk.com, and victimname-okta.com. These URLs are crafted to trick employees into entering their credentials on fake portals. The goal: steal login details, bypass MFA, and gain footholds in cloud environments.
Examples range from chipotle-sso[.]com to hubspot-okta[.]com and gemini-servicedesk[.]com. While not every domain is confirmed as malicious, the pattern is consistent, and intentional.
“These aren’t just one-off phishing attempts,” said Eli Smadja, Group Manager of Security Research at Check Point. “They’re part of a coordinated infrastructure. By uncovering over 500 domains tied to their activity, we’re giving defenders the proactive insights they need to stop these attacks before damage is done.”
A Broader Target Set, and a New Attack Surface
Scattered Spider is widening its focus. While recent incidents have hit airlines like WestJet, Hawaiian Airlines, and Qantas, the phishing domains also impersonate companies in tech, finance, retail, medical devices, and cloud platforms.
This indicates a strategy less about sector loyalty and more about opportunity.
“The domains give us visibility into intent,” Smadja noted. “And the intent is widespread. The attackers are targeting platforms where cloud access and customer service systems converge, places where social engineering meets technical privilege.”
The infrastructure paints a clear picture: Scattered Spider is investing in scalable, reusable pre-attack tools. Phishing portals aren’t improvised—they’re part of a planned and repeatable method of infiltration.
Who Is Scattered Spider?
Also tracked under names like UNC3944, Muddled Libra, or 0ktapus, the group has been active since at least 2022. Its members are believed to be mostly young, native English speakers from the US and UK, a detail that helps them slip past language-based detection during voice phishing attacks.
They’ve been linked to high-profile breaches in telecoms, insurance, finance, retail, and now aviation. In recent campaigns, Scattered Spider has manipulated call centre staff, reset MFA, and convinced employees to install remote access tools. The goal is always the same: gain initial access, pivot to valuable systems, and monetize the breach through data theft or ransomware.
Their tools include a mix of legitimate remote desktop software (TeamViewer, ScreenConnect, Tailscale), credential stealers like Raccoon and Vidar, and leaked malware such as WarZone RAT. In some cases, they’ve partnered with ransomware operators like BlackCat/ALPHV for full-scale extortion.
Defense Starts Before the Phish
Check Point’s findings offer defenders an opportunity to get ahead. These domains act as early indicators; watchpoints in the kill chain that appear well before attackers reach internal systems.
The company’s guidance for enterprises includes:
- Domain Monitoring: Watch for suspicious registrations that mimic your brand or login pages.
- Adaptive MFA: Implement systems that look for unusual behavior rather than relying solely on push approvals.
- Training and Simulation: Focus on helping employees recognize vishing and MFA fatigue attacks.
For the aviation sector, the advice becomes more specific:
- Vendor Risk Assessments: Audit third-party call centers and IT providers for identity verification practices.
- Tailored Incident Response: Build sector-specific playbooks for breaches involving loyalty platforms and passenger data.
- Layered Identity Checks: Require more than one method of verification for password resets or MFA changes.
A Threat Built on Familiarity
What makes Scattered Spider dangerous is their understanding of how people and systems behave under pressure. They mimic internal language, spoof trusted voices, and time their attacks when staff are least prepared.
As Rex Booth, CISO of SailPoint, recently observed: “Because most of Scattered Spider are native English speakers, they’re able to execute social engineering attacks without raising concerns as readily. It makes them very effective at exploiting the human side of cybersecurity.”
That human side starts long before a user clicks a malicious link. It begins with trust, in a URL, an interface, a process.
The lesson from Check Point is simple: watch the infrastructure. Spot the fake before someone believes it’s real.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.