On June 14, 2024, a 22-year-old British citizen was arrested as an alleged member of the cybercriminal group Gold Harvest, or Scattered Spider as some call it. The arrest called public attention to the threat group, which is known for both its social engineering attacks and its unique makeup compared to the typical cybercriminal group profile. To get a better sense of the group and their techniques, I recently sat down with Rafe Pilling, Secureworks® Director of CTU™ Threat Research, to talk about Gold Harvest.
Can you give us a breakdown of who Gold Harvest is?
RAFE: The group as we track them emerged about mid 2022, initially targeting telecommunications technology and business process outsourcing companies. They specialize in circumventing authentication technologies and using social engineering to steal data and conduct fraud. They use a range of communication methods to do this, such as directly calling people, sending emails and SMS messages, all to manipulate either help desk staff or end users.
Unlike many other criminal groups we track, Gold Harvest is more of a loose knit collective of individuals who share common interests. They are often English-speaking and based in locations like the UK, U.S. and Canada, and their motivations are just as much about bragging rights as they are about enriching themselves, so being able to demonstrate how successful they've been either through high profile media attention or by demonstrating they have significant cryptocurrency balances in wallets is important.
What kind of tactics does Gold Harvest use?
RAFE: Gold Harvest relies on common communication channels. They will call help desks to manipulate people into resetting passwords for accounts they might have access to, or they try to get information out of the person at the help desk so they can call back a few days later and impersonate someone else to try and authenticate themselves. The social engineering is often about impersonating an individual with more and more access and more privileges within the network to get to the data or other systems that they are interested in.
They will also target end users to manipulate them into clicking on a phishing link and entering usernames and passwords, or even trying to trick people into giving out one-time password tokens that might have been sent to the end user through SMS or another multifactor authentication platform.
What made the arrest of this one person so newsworthy?
RAFE: When many people think of cybercrime, they think of people in jurisdictions that are typically outside the reach of Western law enforcement. Because Gold Harvest operates in the U.S., UK and Canada, they are in places where law enforcement takes cybercrime very seriously and can go through an investigative process to track down these individuals to complete an arrest and prosecution. There were also arrests of people in the Gold Harvest community in 2022 and 2023, so this most recent arrest shows a continuation of that activity by law enforcement.
How do you think this will impact Gold Harvest’s activity?
RAFE: A lot of recent law enforcement activity has focused on technical disruptions that can also yield intelligence, which can maybe be used in future prosecutions or to identify wider affiliates of these schemes. Threat actors can recover from these disruptions, but especially in cases involving ransomware, we've seen operations bounce back a little bit and then ultimately just go away because the brand has been damaged within the criminal community and people don't want to work with them anymore. It’s better when law enforcement can actually arrest the people behind the activity and put a stop to that activity altogether, and that's what we see here with this recent arrest. Hopefully this can prevent more people from joining this group because they know that the threat of arrest is very real.
What can organizations do to better protect themselves from the types of social engineering tactics Gold Harvest uses?
RAFE: Be sure that your help desk staff understand some of the key signs of somebody attempting a social engineering tactic such as invoking authority or urgency, long pauses in response to questions that should be relatively easy to answer, difficulty in conducting certain tasks, or feigning an unfamiliarity or lack of technical competency when it comes to what they're being asked to do. If you have a multifactor authentication system built on SMS messages, it’s a good idea to move away from that because it's possible to hijack phone numbers that redirect to other devices. If you're calling someone to try and prove their identity, make sure you are doing that by asking them something they should know or having them perform a task. Also, ensure that if a network is compromised, there are technical controls in place that will detect that. You need comprehensive network monitoring that looks for anomalous account access from anomalous locations or anomalous times and is also looking to detect the installation of unauthorized software remote access tools.
It's also important that your staff feel empowered to do something in these cases, to stop a call or have a transaction verified in some other way if it looks suspicious. Staff members at Help Desks can feel like they are at the bottom of the stack, and if they think they are talking to someone who is in a senior role, the individual may worry they will get in trouble if they don't help out, and most people naturally want to be helpful. Social engineering plays on that human instinct to help.