Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
View All
Scattered Spider Returns: Retail & Hospitality Firms Hit with Advanced Social Engineering
Security News/Issue #18 — April 21 – April 27, 2026
THREAT INTELCRITICAL

Scattered Spider Returns: Retail & Hospitality Firms Hit with Advanced Social Engineering

Published April 24, 2026
5 min read
Source: CrowdStrike / FBI Flash Alert
SHARE:
Affected Systems
IT Help Desk SystemsIdentity Providers (Okta, Azure AD)VPN & Remote AccessCloud Environments (AWS, Azure, GCP)
Executive Summary

The notorious Scattered Spider threat group — responsible for the 2023 MGM Resorts and Caesars Entertainment breaches — has resumed operations targeting US retail and hospitality companies using AI-enhanced vishing and help desk impersonation attacks.

Who Is Scattered Spider

Scattered Spider (also tracked as UNC3944, Octo Tempest, and Starfraud) is a loosely organized cybercriminal group primarily composed of English-speaking members, many believed to be based in the US and UK. The group gained international notoriety in 2023 when they breached MGM Resorts International and Caesars Entertainment using social engineering attacks against IT help desks, causing hundreds of millions of dollars in damages. Following a period of reduced activity after several arrests in late 2024, CrowdStrike and the FBI confirmed in April 2026 that the group has reconstituted and resumed targeting US organizations, with a particular focus on retail and hospitality companies.

How the Attacks Work

Scattered Spider's signature technique is help desk social engineering. Attackers call an organization's IT help desk posing as a new employee, a remote worker locked out of their account, or even a senior executive. Using information gathered from LinkedIn, company websites, and data broker sites, they construct convincing backstories and answer security questions correctly. They then pressure help desk staff to reset MFA, add a new authenticator device, or provide temporary access credentials. In 2026, the group has enhanced their attacks with AI-generated voice cloning to impersonate specific employees, making the calls even more convincing. Once they gain initial access, they move quickly to establish persistence, exfiltrate data, and in some cases deploy ransomware.

Recent Victims and Tactics

CrowdStrike's April 2026 threat report identified at least 11 confirmed Scattered Spider intrusions in Q1 2026, targeting retail chains, hotel groups, and restaurant franchises. In several cases, attackers successfully convinced help desk staff to enroll a new authenticator app on a victim's account, bypassing MFA entirely. The group is also using SIM swapping — bribing or social engineering mobile carrier employees to transfer a victim's phone number to an attacker-controlled SIM — to intercept SMS-based MFA codes. Once inside, attackers have been observed accessing point-of-sale system credentials, customer loyalty program databases, and payment processing systems.

Defending Against Social Engineering at Scale

The most effective defense against Scattered Spider is a strict identity verification policy for all privileged account changes. Implement a rule that no MFA reset, password change, or new device enrollment can be performed based solely on a phone call — require the employee to verify their identity through a secondary channel such as a video call with their manager or an in-person visit to IT. Upgrade from SMS-based MFA to phishing-resistant FIDO2 authenticators or passkeys — these cannot be bypassed by SIM swapping or vishing. Implement conditional access policies that flag unusual login patterns such as new device enrollments from unexpected locations. Conduct regular social engineering awareness training that specifically covers vishing and help desk impersonation scenarios.

What Segler.Net Recommends

We strongly recommend that all San Antonio businesses — especially those in retail, hospitality, and professional services — review their help desk verification procedures immediately. If your IT support is handled by an internal team or a managed service provider, ensure they have a documented identity verification policy that does not rely solely on caller-provided information. Consider implementing a privileged access management (PAM) solution that requires multi-party approval for sensitive account changes. Contact Segler.Net to schedule a social engineering awareness training session for your staff and a review of your identity verification procedures.

Key Takeaways & Action Items
  • Train your help desk staff to never reset MFA or passwords based solely on a phone call — require in-person or video verification
  • Implement a callback verification policy using a known number before any privileged account changes
  • Enable phishing-resistant MFA (FIDO2/passkeys) — SMS and voice OTP can be bypassed by Scattered Spider
  • Monitor for unusual identity provider activity including bulk MFA resets or new device enrollments
  • Brief all employees on vishing tactics — attackers impersonate new hires, executives, and IT staff convincingly
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #18: April 21 – April 27, 2026
PREVIOUS ARTICLE
SAP NetWeaver Zero-Day (CVE-2026-2030): Unauthenticated RCE Under Active Exploitation
Talk with Us