While the aviation industry has borne the brunt of Scattered Spider’s latest round of social engineering attacks, the criminals aim to catch manufacturing and medical tech companies — and even Chipotle Mexican Grill — in tjeor web, as evidenced by hundreds of domains that security researchers say look a lot like phishing websites used by the criminal crews.

Check Point researchers recently uncovered 500 such domains that follow Scattered Spider’s naming conventions to spoof legitimate corporate login portals, such as “victimname-servicedesk[.]com,” or an identity and authentication service used by the organization, like “victimname-okta[.]com. 

These registered domains indicate “potential phishing infrastructure either in use or prepared for future attacks,” according to the threat hunters’ Monday report.

The websites look like real login pages used by most enterprises, and they are designed to trick employees into entering their login credentials. The loosely knit gang of criminals specializes in social engineering, and has been known to make fake calls to IT helpdesks posing as employees; these attacks could conceivably work in the opposite direction, with a fake helpdesk call pointing an employee to the fake domain.

While some of the domains appear to mimic retail and aviation organizations, which have recently been hit hard by the loosely knit gang of criminals who specialize in social engineering, “others impersonate companies across a much broader set of industries, including manufacturing, medical technology, financial services, and enterprise platforms,” according toCheck Point.

Some of the domains spotted by the researchers include:

• chipotle-sso[.]com
• gemini-servicedesk[.]com
• Hubspot-okta[.]com

While Check Point notes that it hasn’t confirmed all 500 websites as malicious, their alignment with Scattered Spider’s tactics “strongly suggests targeting intent.”

None of the three companies (Chipotle, Gemini, and Hubspot) responded to The Register‘s inquiries, including whether they had any evidence of their employees being targeted in social engineering campaigns.

“This cross-sector targeting underscores the group’s opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical,” Check Point added.

Check Point’s investigation follows a recent spate of attacks targeting airlines, which prompted the FBI to issue an alert. 

Last week, Australia’s Qantas airline disclosed that 6 million of its customers had their personal information stolen in a cyberattack. And in a Monday update, the company said a “potential cyber criminal has made contact” with the airline.

This would presumably be to extort Qantas into paying an fee to avoid having the data leaked online. The airline declined to answer The Register‘s specific questions about the contact with the cyber criminal, and if Scattered Spider was responsible for the attack.

“As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the detail of the contact,” a spokesperson said. “There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.”

In addition to Qantas, Hawaiian Airlines also reported a “cybersecurity incident” in late June, as did Canada’s WestJet.

Prior to shifting its focus to the friendly skies, Scattered Spider hit several insurance companies, including Aflac, and raided several retailers, including Marks & Spencer, Co-op, and Harrods.®