Skip to main content
3SN3rd Stone Networks Logo
NewsSep 11, 20232 min read

MGM Resorts Ransomware Attack: Social Engineering at Casino Scale

A social engineering attack on MGM Resorts brought casino operations to a standstill, demonstrating how a single phone call can dismantle sophisticated security infrastructure.

By 3SN Editorial
#MGM Resorts#Ransomware#Social Engineering#ALPHV#Casino Security
MGM Resorts Ransomware Attack: Social Engineering at Casino Scale
Social Engineering
Sep 11, 20233SN Newsroom

MGM Resorts Ransomware Attack: Social Engineering at Casino Scale

A social engineering attack on MGM Resorts brought casino operations to a standstill, demonstrating how a single phone call can dismantle sophisticated security infrastructure.

MGM Resorts Ransomware Attack: Social Engineering at Casino Scale

TL;DR

  • MGM Resorts suffered a major ransomware attack that disrupted casino operations, hotel check-ins, and digital services across multiple properties.
  • Attackers used social engineering techniques, reportedly vishing calls to the IT help desk, to obtain initial access to the network.
  • The incident highlights the critical importance of identity verification procedures and help desk security controls.

The short version

A single phone call brought one of the world's largest casino operators to its knees. Attackers used social engineering to manipulate MGM Resorts' IT help desk into providing access credentials. Within days, slot machines went dark, hotel check-ins became manual processes, and guests faced cash-only transactions. The estimated cost exceeded $100 million. This attack demonstrates that the most sophisticated technical defenses can be undone by human factors. Social engineering remains the path of least resistance for determined adversaries.

Why this matters beyond a single product

This is not a story about casino technology. It is a story about how organizations authenticate identity. Every company with a help desk faces the same fundamental challenge: how do you help legitimate users while keeping attackers out? The MGM breach reveals that even organizations with substantial security investments can have gaps in their identity verification procedures. The lesson extends to any system where humans make access decisions. Password resets, MFA bypass requests, and account recovery flows are all potential attack vectors. Organizations must design these processes with the assumption that attackers will test them.

Practical next steps for teams

Start with your help desk procedures. Do they have clear identity verification steps that cannot be bypassed through persistence or charm? Implement out-of-band verification for sensitive requests. Require manager approval for high-risk changes like MFA resets or privileged account modifications. Then look at your privileged access management. Administrative accounts should require additional authentication, have limited session duration, and be monitored continuously. Finally, train your people. Social engineering works because it exploits normal human helpfulness. Regular training and simulated attacks help staff recognize and resist these techniques.

3SN perspective

Technology cannot solve what is fundamentally a human problem. But it can make the human decisions easier and safer. We believe the answer lies in combining smart identity verification processes with tools that reduce the burden on both staff and users. When security procedures are clear, consistent, and well-supported by technology, they become habits rather than obstacles. That is how you build resilience against social engineering: not by eliminating human judgment, but by supporting it with the right controls and training.

What happened

MGM Resorts, one of the largest casino and hotel operators in the world, experienced a significant ransomware attack that began around September 10, 2023. The ALPHV ransomware group claimed responsibility. According to reports, attackers gained initial access through social engineering targeting the company's IT help desk. Once inside, they deployed ransomware that encrypted systems and disrupted critical operations including slot machines, hotel check-in systems, digital room keys, and restaurant reservations. The attack affected properties across Las Vegas and other locations, causing estimated losses of over $100 million.

Who’s affected

MGM Resorts properties worldwide experienced operational disruptions, with significant impact on Las Vegas casinos including MGM Grand, Bellagio, and Aria. Guests faced check-in delays, non-functional digital services, and cash-only transactions. Employees lost access to corporate systems. The breach also raised concerns for loyalty program members and anyone whose data may have been accessed during the incident.

What to do now

  1. Review and strengthen help desk identity verification procedures to prevent social engineering attacks.
  2. Implement privileged access management controls and require additional verification for high-risk account changes.
  3. Conduct security awareness training focused on social engineering techniques including vishing and pretexting.

Technical analysis

Mitigations & recommendations

critical

Strengthen help desk verification procedures

Implement out-of-band verification for sensitive requests, require manager approval for high-risk changes, and train staff to recognize social engineering indicators.

critical

Deploy privileged access management

Implement PAM solutions with just-in-time access, session recording, and additional authentication requirements for administrative accounts.

high

Network segmentation for OT systems

Isolate operational technology networks from corporate IT and internet-facing systems to prevent lateral movement.

medium

Comprehensive social engineering testing

Conduct regular vishing, phishing, and pretexting exercises to identify weaknesses and improve staff awareness.

References

MGM Resorts Reports Cybersecurity Issue
SEC Filing2023-09-14
MGM Resorts Cyberattack Disrupts Las Vegas Operations
Reuters2023-09-12
Scattered Spider and the MGM Resorts Breach
CISA2023-10-11

Related Articles

Explore more insights and updates from our security experts

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access
Vulnerability Management
Feb 10, 20261 min read

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access

CISA added a SmarterMail auth bypass to the KEV catalog after active exploitation. Here is what it means, how it works at a high level, and what to do first.

3rd Stone Networks
Read more
FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius
Identity & Access
Feb 9, 20261 min read

FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius

CSO Online reports Fortinet temporarily disabled FortiCloud SSO after a critical zero‑day. Here’s what that means for teams relying on centralized identity, plus practical next steps.

3rd Stone Networks
Read more
3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners
Company Update
Nov 15, 20243 min read

3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners

3SN announces its Enterprise Partnership Program, enabling resellers, MSPs, and technology partners to deliver 3SN security solutions to their customers.

3rd Stone Networks
Read more
View all news