SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Firewalls
#
Ransomware
#
Network Security

Scattered Spider targets UK retailers with advanced phishing

Yesterday
Author image
By Shannon Williams, Journalist

ReliaQuest has published an analysis examining the tactics used by the cybercriminal group Scattered Spider and its impact on major industries, including the recent wave of cyber attacks on UK retailers.

The analysis highlights that 81% of domains associated with Scattered Spider impersonate technology vendors, with the group primarily seeking high-value credentials from system administrators and executives. According to ReliaQuest, "The group primarily leverages phishing frameworks like Evilginx and social engineering methods like vishing to gain initial access into organizations."

Scattered Spider's recent campaigns reportedly targeted companies in the technology, finance, and retail sectors. ReliaQuest states that 70% of all identified targets fall within these industries, making them particularly susceptible to credential theft and ransomware attacks. The analysis also points out a growing trend: "Scattered Spider and 'DragonForce' are increasingly targeting managed service providers (MSPs) and IT contractors, exploiting their 'one-to-many' access to breach multiple client networks through a single point of compromise."

In May 2025, a series of cyber attacks affected several prominent UK retailers, including Marks & Spencer, Co-op, and Harrods, with many observers attributing the breaches to Scattered Spider, also known as UNC3944 or Octo Tempest. That same month, similar incidents impacted major US retailers. While no definitive link has been established, the apparent coordination of these incidents suggests a "broader, orchestrated campaign."

ReliaQuest's report describes the evolution of Scattered Spider from a "run-of-the-mill SIM-swapping crew" to a "global threat, armed with advanced social engineering skills and relentless ambition." The analysis explores how the group "constructs its infrastructure and exploits human trust to secure initial access," with evidence suggesting a coordinated attack on the retail industry vertical.

ReliaQuest's examination identified several recurring tactics, including the use of social engineering to manipulate individuals, phishing campaigns leveraging typosquatted domains, and frameworks such as Evilginx designed to bypass multifactor authentication (MFA). The group is reported to have shifted its tactics, moving from hyphenated domains to subdomain-based keywords, in an effort to avoid detection.

The report provides actionable recommendations, outlining steps organisations can take to "mitigate risks, strengthen defences, and respond effectively to this persistent threat." Among the suggested measures are continuous monitoring of domain registrations for signs of impersonation and more rigorous social engineering defences, particularly for help desk staff.

Scattered Spider, which is associated with the cybercriminal collective "The Community," has expanded its arsenal through partnerships with ransomware operators ALPHV, RansomHub, and DragonForce. The group's members, many of whom are fluent in English, exploit help-desk systems and employee impersonation tactics to breach organisations, focusing especially on sectors with substantial capital or valuable data.

ReliaQuest's analysis of over 600 domains linked to Scattered Spider between Q1 2022 and Q1 2025 found that 81% impersonated technology vendors. These domains often targeted services such as single sign-on (SSO), Identity Providers (IdP), VPNs, and IT support systems to "harvest credentials from high-value users, including system administrators, CFOs, COOs, and CISOs."

The study also revealed that 35% of domains found in ReliaQuest's internal Digital Risk Protection alerts belonged to the technology sector, 20% to finance, and 15% to retail trade. These findings "demonstrate Scattered Spider's reliance on tech organisations as gateways, while also highlighting its interest in high-value industries that depend on technology for critical operations and customer data."

During the investigation of the UK retail attacks, evidence emerged that Scattered Spider had exploited compromised accounts from Tata Consultancy Services (TCS), a global IT contractor, to gain initial access. Scattered Spider's tactic of targeting IT providers and third-party contractors, rather than attacking retail companies directly, is described as an effective strategy for breaching multiple organisations via a single compromise.

Scattered Spider's infrastructure is not static. "While these indicators showed the most overlap in our analysis, Scattered Spider frequently changes its infrastructure for domain hosting and domain registration—typically every one to two months. As such, expanding hunts beyond the ASNs listed above is strongly recommended."

The report recommends steps for organisations to detect and respond to Scattered Spider's tactics, including monitoring registration of new domains with relevant keywords, automating regular scans for suspicious activity, and closely watching for network connections to impostor domains.

The analysis emphasises the importance of human factors in Scattered Spider's operations. The group uses publicly available information from platforms like LinkedIn and ZoomInfo to construct profiles of key employees within target organisations, later impersonating them in sophisticated social engineering attacks. "It's a scenario of high-stakes deception, and Scattered Spider excels at exploiting trust, weaponizing human vulnerability to devastating effect."

ReliaQuest observed growing collaboration between Russian-aligned groups and English-speaking social engineering specialists. Job posts on cybercriminal forums emphasise the need for "minimal accent" and fluency "at a C1 Level or Higher," as well as alignment to Western business hours, with payments reportedly as high as USD $25,000 per month for successful leads. "Callers are also provided with detailed scripts and real-time guidance from a so-called curator to help them handle any situation during the call." These partnerships "significantly raise the stakes for businesses."

To counter the evolving threat, organisations are advised to invest in robust social engineering defences, regular employee training, heightened identity verification at help desks, and enhanced monitoring of sensitive interactions.

ReliaQuest outlined its approach to support customers in detection and response, including tools such as the GreyMatter Digital Risk Protection platform, an agentic AI agent to automate analysis and response, and tailored detection rules based on the latest threat intelligence. ReliaQuest's response playbooks allow organisations to swiftly terminate suspicious sessions, reset stolen credentials, remove malware, and disable compromised accounts.

The report concludes that "Scattered Spider continues to rely heavily on social engineering, using human trust as a weapon alongside phishing campaigns powered by typosquatted domains and advanced tools like Evilginx to bypass MFA." It predicts that Scattered Spider will maintain its focus on "high-value sectors like technology, finance, and retail trade across non-CIS countries." The analysis also anticipates the adoption of deepfake AI voice technology for future impersonation attacks, further complicating defensive efforts.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
N-able launches free global UEM certification for IT staff
Claroty adds business-centred risk tools to xDome platform
Cloud security gaps widen as AI threats outpace defences
Portnox & CrowdStrike team up for real-time access control
Bitdefender unveils GravityZone tool for easier compliance
Top stories
Global survey finds gaps leave cloud security dangerously exposed
UK estate sector turns to digital tools as ID fraud surges
Healthcare faces surge in cyberattacks & AI-driven threats
Cobalt unveils platform updates to streamline pentesting workflows
Too many cloud security tools harming incident response times - survey