Inside Scattered Spider’s Web: Why NYC Financial Institutions Must Strengthen Cybersecurity Posture Now

NYC Financial Institutions

New York City's financial institutions face a growing threat from Scattered Spider, a cybercriminal group that has significantly evolved its tactics since the FBI's July 29, 2025 joint advisory. This sophisticated threat actor now deploys DragonForce ransomware alongside advanced social engineering techniques that specifically target large companies and their IT help desks.

Financial firms are prime targets because they store high-value data and rely on complex vendor ecosystems that create multiple attack vectors for skilled social engineers. The group's latest methods include joining incident response calls to gather intelligence and searching through internal communications to stay ahead of security teams. These tactics make traditional cybersecurity approaches insufficient for protecting against modern threats.

The FBI advisory reveals that Scattered Spider has expanded beyond basic phishing to use multilayered spear-phishing calls, SIM-swap attacks, and legitimate remote monitoring tools to maintain persistent access. The group's ability to impersonate IT staff and manipulate help desk procedures puts NYC financial institutions at serious risk of data breaches and operational disruption.

Key Takeaways

  • Scattered Spider uses advanced social engineering to trick employees into giving up credentials and MFA tokens
  • The group joins incident response calls and monitors internal communications to avoid detection by security teams
  • Financial institutions need phishing-resistant MFA, offline backups, and network segmentation to defend against these evolving threats. 

Scattered Spider: Threat Overview and Recent Tactics

Scattered Spider has emerged as one of the most sophisticated cybercriminal groups targeting major enterprises since 2022. The group combines advanced social engineering with legitimate remote tools to infiltrate organizations, making them particularly dangerous to financial institutions with valuable data and complex vendor relationships.

Group History and Aliases

Scattered Spider operates under multiple aliases including UNC3944, Octo Tempest, Storm-0875, Muddled Libra, and Scatter Swine. This financially motivated group has been active since at least May 2022.

The group focuses on data theft for extortion purposes. They also deploy various ransomware variants once inside target systems. Their operations span across multiple countries, prompting joint advisories from U.S. and international cybersecurity agencies.

Recent activity shows the group has expanded their toolkit. They now use DragonForce ransomware alongside their traditional data extortion methods. The FBI and CISA released updated warnings in July 2025 about their evolving techniques.

Target Profile: Why Financial Institutions Are at Risk

Scattered Spider primarily targets large enterprises across multiple sectors. Financial institutions face heightened risk due to several key factors:

  • High-value customer data and financial records
  • Complex IT environments with multiple vendors
  • Large help desk operations that attackers can impersonate
  • Critical infrastructure that cannot afford downtime

The group specifically targets telecommunications, outsourcing firms, and cloud/tech companies. More recently, they have expanded to focus on retail, finance, and insurance sectors.

Financial firms in dense business centers like New York face additional exposure. Their interconnected vendor relationships create multiple attack vectors for social engineering campaigns.

Evolving Tactics: New Social Engineering and Ransomware

Scattered Spider employs increasingly sophisticated social engineering techniques. Their primary methods include:

Phone and SMS Impersonation

  • Pose as IT staff or help desk personnel
  • Contact employees directly to request credentials
  • Use detailed knowledge of company procedures

Multi-Factor Authentication Attacks

  • Deploy "push bombing" with repeated MFA prompts
  • Perform SIM swap attacks to control mobile devices
  • Register their own MFA tokens for persistent access

Advanced Phishing Operations

  • Create domains that mimic company SSO pages
  • Conduct multilayered spear-phishing calls
  • Research help desk procedures before attacks

The group also uses legitimate remote monitoring tools like FleetDeck, TeamViewer, and AnyDesk to avoid detection. They incorporate malware such as Ratty and now deploy DragonForce ransomware in later attack stages.

Their "living off the land" approach makes detection extremely difficult. They blend malicious activity with normal business operations, often joining incident response calls to gather intelligence about defensive measures.

Social Engineering: The Group's Primary Attack Vector

Scattered Spider succeeds by exploiting human psychology rather than technical vulnerabilities. The group uses phone calls, text messages, and fake websites to trick employees into giving up login credentials and bypassing security controls.

Impersonation of IT and Help Desk Personnel

Scattered Spider members pose as internal IT staff or contracted help desk workers to gain employee trust. They research company structures and employee names through social media and public records.

The attackers call employees directly. They claim urgent security issues require immediate password resets or account verification. They often use company-specific language and reference real employee names to appear legitimate.

Common impersonation tactics include:

  • Calling after business hours when fewer security staff are available
  • Claiming the employee's account shows suspicious activity
  • Using spoofed phone numbers that match company extensions
  • Referencing recent company news or IT changes

The group targets new employees who may not know proper verification procedures. They also focus on employees in different time zones where verification calls are harder to make.

Push Bombing and SIM Swap Attacks

Push bombing involves sending multiple authentication requests to overwhelm users. Scattered Spider sends dozens of push notifications to employee phones until they approve one to stop the alerts.

The group combines this with phone calls. They tell employees the notifications are part of a security update. Many employees click "approve" just to end the constant alerts.

SIM swap attacks let the group control employee phone numbers. They contact mobile carriers pretending to be the account holder. They claim they need to transfer service to a new phone.

SIM swap attack steps:

  1. Gather personal information through social engineering or data breaches
  2. Call carrier customer service with victim's details
  3. Request phone number transfer to attacker-controlled device
  4. Receive all text messages and calls meant for the victim

Once they control the phone number, they can bypass text-based two-factor authentication. They reset passwords and receive verification codes directly.

Spear-Phishing and Vishing Campaigns

Scattered Spider creates fake websites that look identical to company login pages. These sites capture usernames and passwords when employees try to log in. They register domain names that closely match real company domains.

Voice phishing (vishing) involves phone calls where attackers pose as trusted contacts. They learn company procedures by studying help desk scripts and internal documentation from previous breaches.

The group conducts research before each attack. They study target companies' vendor relationships and IT support structures. This knowledge makes their impersonation attempts more convincing.

Advanced vishing techniques include:

  • Joining incident response calls to gather information
  • Learning internal terminology and processes
  • Targeting specific employees based on their roles
  • Using information from previous successful attacks

They often call multiple employees at the same company within hours. If one person refuses to provide information, they try others until someone complies. This persistent approach often leads to successful credential theft.

How Scattered Spider Gains and Maintains Access

Scattered Spider uses three main methods to establish and keep control over victim networks. They buy stolen login details from criminal websites, add their own security devices to accounts, and attack companies through their business partners and technology vendors.

Credential Acquisition from Illicit Markets

Scattered Spider buys employee login information from dark web marketplaces. These credentials often come from previous data breaches at other companies.

The group targets high-value accounts like system administrators and IT staff. They know these accounts give them more access to important systems.

Common credential sources include:

  • Previous corporate breaches sold on forums
  • Stealer malware that captures passwords
  • Phishing campaigns targeting specific companies

Once they buy credentials, the group tests them across multiple company systems. They look for accounts that work on email, cloud services, and internal networks.

Many companies don't know their employee passwords are for sale online. This makes credential marketplace purchases a low-risk way for Scattered Spider to gain initial access.

Malicious MFA Token Registration

The group adds their own multi-factor authentication devices to compromised accounts. This lets them keep access even after companies discover the breach.

They call help desk staff and pretend to be legitimate employees. The attackers claim they lost their phone or security token and need a new one registered.

Their registration process involves:

  • Social engineering help desk workers
  • Providing stolen personal employee information
  • Requesting MFA token transfers to attacker devices
  • Removing victim's original authentication methods

This tactic is highly effective because help desk staff want to help employees quickly. The attackers sound professional and have enough personal details to seem legitimate.

Once registered, these malicious tokens are hard to detect. Companies often don't audit who has MFA devices registered to each account.

Third-Party and Vendor Ecosystem Exploitation

Scattered Spider targets business partners and technology vendors to reach their real targets. They know these third-party connections often have weak security controls.

The group focuses on managed service providers and IT contractors. These companies usually have remote access to multiple client networks.

Key exploitation methods include:

  • Compromising vendor remote access tools
  • Attacking shared service platforms
  • Exploiting trust relationships between companies
  • Using vendor credentials to access client systems

Financial institutions face extra risk because they work with many vendors. These include payment processors, compliance firms, and cloud service providers.

The attackers research vendor relationships before launching attacks. They study company websites and job postings to understand which third parties have network access.

Living-off-the-Land Techniques and Malware Deployment

Scattered Spider leverages legitimate system tools and software to avoid detection while deploying both authorized remote access programs and malicious ransomware. The group's strategy centers on blending malicious activities with normal business operations through trusted applications.

Abuse of Remote Monitoring Tools

Scattered Spider deploys legitimate remote monitoring and management (RMM) tools to maintain persistent access to compromised networks. These tools appear normal to IT teams and security software.

Common RMM Tools Used:

  • FleetDeck - Enterprise fleet management software
  • TeamViewer - Remote desktop access application
  • AnyDesk - Remote desktop software
  • ConnectWise - IT service management platform

The attackers install these tools after gaining initial access through social engineering. They register the software using stolen credentials or create new accounts that blend with existing IT operations.

Security teams often whitelist these applications for legitimate business use. This makes it extremely difficult to detect when attackers use the same tools for malicious purposes.

The group uses these tools to move laterally through networks. They can access multiple systems without triggering security alerts that typically flag unknown or suspicious software.

Use of Legitimate and Malicious Software

The group combines trusted system utilities with custom malware to execute their attacks. This dual approach helps them evade detection while maintaining operational flexibility.

Legitimate Tools Exploited:

  • Windows PowerShell for system administration tasks
  • Command-line utilities for file manipulation
  • Built-in remote desktop protocols
  • System backup and recovery tools

Scattered Spider also deploys the Ratty remote access trojan (RAT). This malware provides backdoor access and data collection capabilities that complement their legitimate tool usage.

The attackers manipulate system configurations to disable security protections. They use administrative privileges obtained through social engineering to modify firewall rules and antivirus settings.

Their living-off-the-land approach makes forensic analysis more challenging. IT teams struggle to distinguish between legitimate administrative activities and malicious actions using the same tools.

Recent Shift to DragonForce Ransomware

Scattered Spider has expanded their operations to include DragonForce ransomware deployment. This represents a significant evolution in their attack methods and revenue generation strategy.

The group now follows a double extortion model. They steal sensitive data before encrypting systems, then threaten to release the information if victims refuse to pay ransoms.

DragonForce ransomware targets critical business systems and databases. The malware focuses on high-value assets that cause maximum operational disruption for financial institutions.

The ransomware deployment occurs after extensive network reconnaissance. Attackers map critical systems and identify backup locations before launching the encryption phase.

This shift increases the financial impact of Scattered Spider attacks. Organizations face both system recovery costs and potential regulatory penalties from data breaches.

Incident Response Evasion Strategies

Scattered Spider employs advanced tactics to disrupt organizational response efforts. They actively monitor internal communications and response calls to stay ahead of security teams.

Joining Internal Response Calls

The threat actors frequently infiltrate incident response conference calls and teleconferences. They listen to security teams discuss hunting methods and containment strategies.

This access allows them to understand how organizations are tracking their activities. They learn about security tools, detection methods, and response procedures in real time.

Key infiltration methods include:

  • Using compromised administrator accounts to join authorized calls
  • Accessing calendar invitations through compromised email systems
  • Monitoring Slack, Microsoft Teams, or other internal communication platforms

Once inside these calls, attackers proactively develop new attack paths. They modify their tactics based on what security teams reveal about their defenses.

The FBI specifically notes this behavior in recent investigations. Response teams unknowingly provide attackers with roadmaps to avoid detection.

Searching Internal Communications

Scattered Spider systematically searches through internal systems after gaining access. They target SharePoint sites, email systems, and chat platforms for sensitive information.

Attackers look for specific types of documentation:

  • Credential storage files and password lists
  • Network diagrams and infrastructure details
  • VPN setup instructions and access procedures
  • Backup system locations and recovery plans

Primary search targets include:

  • Microsoft SharePoint repositories
  • Internal wiki systems
  • Shared network drives
  • Email archives and attachments

This intelligence gathering helps them understand security procedures. They use this knowledge to avoid triggering alerts and bypass existing controls.

Disrupting Detection and Response

The group uses information from internal communications to disrupt response efforts. They modify attack methods based on security team discussions and documented procedures.

Attackers may disable logging systems or security tools they learn about. They also create false leads to misdirect investigation efforts.

Common disruption tactics:

  • Deleting or modifying security logs after learning monitoring procedures
  • Creating decoy activities to waste response resources
  • Establishing alternative access methods when primary routes are discovered

The FBI recommends using out-of-band communications for response coordination. Security teams should avoid discussing sensitive response details on systems that may be compromised.

This approach prevents attackers from accessing real-time response information. It also limits their ability to adapt their tactics during active incidents.

Actionable Cybersecurity Recommendations for NYC Financial Firms

Financial institutions must take immediate steps to defend against Scattered Spider's sophisticated tactics. These measures focus on blocking social engineering attacks, securing backup communications, protecting critical data, and limiting lateral movement within networks.

Implement Phishing-Resistant MFA

Traditional MFA methods like SMS codes and push notifications are vulnerable to Scattered Spider's attacks. Financial firms need hardware-based authentication that cannot be bypassed through social engineering.

Deploy FIDO2 security keys or smart cards for all privileged accounts. These devices require physical possession and cannot be duplicated through SIM swaps or push bombing attacks.

Replace SMS-based authentication with authenticator apps that use time-based codes. However, recognize that even these can be compromised through sophisticated phishing sites.

Conditional access policies should require phishing-resistant MFA for:

  • Administrative accounts
  • Access to customer data
  • Third-party vendor connections
  • Cloud services and email systems

Train staff to recognize MFA fatigue attacks where criminals send repeated push notifications. Employees should report unusual MFA requests immediately rather than approving them to stop the notifications.

Establish Out-of-Band Communications

Scattered Spider operators often join incident response calls and monitor internal communications during breaches. Financial institutions must prepare secure communication channels that operate outside their primary network infrastructure.

Set up dedicated phone lines or satellite phones for crisis communications. These should be completely separate from corporate telecommunications systems that criminals might compromise.

Create secure messaging platforms on isolated networks or use encrypted personal devices for emergency coordination. Executive teams need pre-configured devices that do not connect to corporate networks.

Communication protocols must include:

  • Code words to verify identity
  • Pre-arranged meeting locations
  • Alternative contact methods for key personnel

Test these systems monthly to ensure they work when needed. Staff should practice using out-of-band communications during tabletop exercises and simulated incidents.

Maintain Offline Backups

Scattered Spider groups deploy ransomware that targets both primary systems and connected backup infrastructure. Financial firms need backup strategies that cannot be reached from compromised networks.

Store critical backups on air-gapped systems with no network connectivity. These should include customer databases, transaction records, and system configurations needed for recovery.

Follow the 3-2-1 backup rule with modifications for high-risk environments. Keep three copies of data on two different media types, with one copy completely offline and physically secured.

Test backup restoration processes quarterly using isolated test environments. Teams should practice full system recovery without access to production networks or cloud services.

Encrypt all backup media using keys stored separately from the backup systems. This prevents criminals from accessing data even if they locate physical storage devices.

Enforce Network Segmentation

Network segmentation limits how far attackers can move once they gain initial access. Financial institutions should isolate critical systems and restrict lateral movement between network zones.

Implement zero-trust architecture that treats every connection as potentially hostile. Users and devices must authenticate for each system access, not just initial network entry.

Separate customer-facing systems from internal operations networks. Payment processing, loan systems, and customer databases should exist in isolated network segments with strict access controls.

Monitor network traffic between segments using advanced detection tools. Unusual data flows or connection patterns often indicate ongoing attacks.

Critical segmentation points include:

  • Employee workstations from server networks
  • Third-party vendor access from internal systems
  • Cloud services from on-premises infrastructure
  • Development environments from production systems

Regular penetration testing should verify that segmentation controls actually prevent lateral movement during simulated attacks.

Conclusion – Don’t Face Scattered Spider Alone

The FBI, CISA, and their global partners have made it clear: Scattered Spider is not a nuisance, it’s a persistent and adaptive cyber-criminal group that uses advanced social engineering, remote access tools, and living-off-the-land techniques to infiltrate even the most prepared organizations

Implementing phishing-resistant MFA, restricting RDP, segmenting networks, and maintaining offline backups are essential steps. But as the FBI warns, these controls must be continuously monitored, tested, and adapted as attackers evolve. That’s not something most in-house teams can do effectively on their own while also running a financial business.

This is where a qualified Managed Security Provider (MSP) becomes invaluable. A trusted MSP will:

  • Continuously monitor for threats like Scattered Spider.
  • Validate and test your defenses against real-world TTPs.
  • Provide out-of-band communication and incident-response planning.
  • Ensure compliance with evolving regulations while reducing risk.

At CRA, we specialize in protecting financial institutions with proactive, managed cybersecurity services designed to meet today’s threats head-on. Don’t wait for a breach to expose weaknesses in your defenses. Reach out today to learn how we can help you strengthen your cybersecurity posture and stay ahead of evolving threats like Scattered Spider.

Posted in IT Security