Overview
- CrowdStrike detailed two financially motivated crews, Cordial Spider and Snarky Spider, that are actively raiding U.S. organizations for data to extort, with researchers linking them to the e-crime network known as The Com and noting ties to Scattered Spider.
- Both groups start with voice phishing that impersonates IT and pushes targets to fake single sign-on pages set up as adversary-in-the-middle sites, which capture passwords and session tokens for the identity provider that brokers access to many apps.
- Once in, the attackers register a new multi-factor authentication device and often remove the real one, then set inbox rules that delete security emails so warnings never reach the user or help desk.
- The operations move fast and leave few host traces because they stay inside SaaS portals, with Snarky Spider beginning data exfiltration in under an hour and both crews hiding behind residential proxy services such as Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS.
- Stolen files are used to pressure payment, with Unit 42 previously citing seven-figure demands for Cordial Spider and CrowdStrike reporting that nonpayment has brought DDoS attacks and even swatting against victim employees.