‘Spider’ Strikes Britain: The Hacks at M&S, Co-Op & How to Stop Them

A pair of British retail giants are still scrambling to regain control of their computer systems nearly a month after massive cyberattacks disrupted their operations and cast a spotlight on the dangers of social engineering schemes targeting corporate IT operations. Despite the availability of technologies for preventing such breaches, most corporations remain vulnerable to this growing threat and the long-term damage it can inflict.

As of May 19, High Street retailer Marks & Spencer has yet to restore online shopping in the face of more than $80 million in lost profit from attacks that have also wiped $1.3 billion from its stock market value. According to the BBC, personal information of some portion of the retailer’s 9.4 million active online customers was compromised in the attack, which could include name, date of birth, contact details, and online order history.

Meanwhile, efforts remain underway at grocery chain Co-op to restock shelves and restore systems that were shut down in response to unfolding attacks days after similar assaults on Marks & Spencer. Despite its quick action, hackers had successfully extracted data related to a “significant number” of its customers, though it did not include bank or credit card information.

These and a number of other recent attacks appear to have been perpetrated by the hacker collective called “Scattered Spider” by some analysts, UNC3944 or Octo Tempest and “Muddled Libra” by others. We first posted about this particular cybercriminal network after its successful assaults on Caesars Entertainment and MGM Resorts International in Las Vegas.

A number of factors make this group especially troubling. First, the fact it’s been implicated in dozens of attacks spanning numerous industries worldwide dating back to 2022. Second, it’s believed to be made up of teenagers and young adults leveraging simple social engineering techniques and to infiltrate corporate systems for fun and profit.

A Tangled Web of Socially-Engineered Breaches

Even now, a clear picture of the UK attacks remains elusive. But judging from reports, it appears Spider’s playbook continues to forego approaches like credential stuffing or exploiting previously unrecognized vulnerabilities. Instead, they compromise corporate networks through clever conversations. In other words: They talk their way in.

In the M&S and Co-op attacks, the perpetrators appear to have used SIM swapping to bypass traditional forms of multifactor authentication (MFA). Either working with an insider, or tricking a call center rep, this typically involves scammers tricking a mobile services provider into transferring the victim’s number to a new SIM card, or even an e-SIM (a kind of virtual SIM that’s embedded in the victim’s device) to a device under the fraudster’s control.

They then tricked IT help desks at Co-op and a third-party supplier to M&S to gain access to the company’s systems, perhaps through a password reset request that was then authenticated using the fraudster’s device. In M&S’s case, it’s believed that once they had enough access, the infiltrators exploited the company’s instance of Microsoft Active Directory, which enables a user to log in once and gain entry to all systems for which the victims have permissioned access. From there, they were free to deploy ransomware to cripple the system.

Why ‘Mission: Impersonate’ Is Just Getting Started

Scattered Spider is believed to be a decentralized network composed largely of native English-speaking young people who coordinate in real-time over Discord, Telegram, and underground forums. As I mentioned, they rely on techniques that target people, not technology infrastructure. The group reportedly coordinates with a ransomware-as-a-service operation known as DragonForce that handles the encryption and extortion side of attacks like those on M&S and Co-op.

But here’s the thing. Scattered Spider isn’t just a threat group. It’s an economic model—one that has been leveraged by these or copycat groups in the weeks since the M&S and Co-op attacks. By early May, luxury department store Harrods reported it was also forced to disable some of its systems after it was hit by a cyberattack. Fashion retailer Dior, Danish food giant Alra Foods, and a growing list of other retailers and suppliers have been targeted.

As Metro aptly points out, the allure of these household names is threefold: “Big brand, big data, big target.” It’s also worth pointing out what they aren’t: Organizations in financial services, healthcare, or other high-regulated, attack-hardened industries. All it takes is one employee at a supplier, partner, or within the targeted company itself to click a malicious link or grant unwarranted access to company systems. And as wide as this attack surface may be, it’s also ever-expanding. By May 20, Google was warning there are signs Scattered Spider may be moving on from UK retailers and pivoting to direct cyber-attacks against retail sector targets in the US.

A Breach’s Bite Is Painful—and Costly

Crippled systems, disrupted sales, and headline-driven stock swings are just the immediate prices to be paid when organizations fall prey to threat groups like Scattered Spider. The average additional cost of a data breach on UK-based organizations is now $4.8 million per incident, according to IBM, and as high as $9.8 million for US-based companies. Worldwide, IBM estimates the price of each breach is climbing at a rate of 10% per year. And that’s before any regulatory fines and lawsuits.

The longer-term impact on revenue generation may also be profound for retailers. According to one 2025 survey, 70% of consumers would stop shopping with a brand that suffered a security incident. The fact that 1 in 5 consumers say they use the same passwords across work and personal online accounts means the fallout from successful attacks on retailers may have serious implications for companies in every industry.

As the M&S and Co-op attacks so vividly illustrate, traditional forms of MFA don’t cut it anymore. Cybercriminal enterprises like Scattered Spider continue to find innovative ways to acquire login credentials and circumvent things like one-time passcodes and limited biometric authentication systems designed to confirm the legitimate user is attempting to access company systems. And anyone with administrative access or successful SIM swap can register things like user biometrics to any device—or set up an alternative identity provider to bypass authentication measures all together. Yet while these challenges are real, they’re also not insurmountable.

Breach-Proof ‘Spider’ Repellant: ‘Liveness’-based
Biometric Authentication

With old-school forms of MFA proving so unreliable as a means of identity verification and new-school social engineering schemes on the rise, modern forms of biometric authentication are helping to set a new standard for security and convenience. Solutions certified to FIDO2, ISO/IEC biometric presentation attack detection, and NIST 800-63-3 specifications, for instance, use “live” biometric markers tied to a verified identity to provide reliable, strong authentication that’s impervious to account takeover.

Put simply, these solutions are built around the identity of the person accessing the account, instead of just the login credentials or device the person is using. Instead, these solutions offer machine-verified identity to government-issued credentials (driver’s license, state ID, passport, etc.) and enable phishing-resistant multifactor authentication when users log in to corporate systems.

1Kosmos, for example, uses the private key of a matched public-private pair in the user’s device as a possession factor (i.e., what you have), while a live facial scan becomes the “what you are” or inherence authentication element. Before access is granted to a site, app, or system, that live image scan is compared to an image captured during the user enrollment process. A match confirms the identity of the person is in fact the authorized user—and not a bot, deepfake, or imposter—with 99.9% accuracy.

The solution supports a consistent enrollment and authentication experience across all apps, devices, systems, and environments—including existing privileged access management systems.

Which means every organization—big British retailer or otherwise—can prevent breaches before they happen by squashing attempts from Scattered Spider or other threat actors to fraudulently infiltrate accounts.

To learn more about 1Kosmos, the only NIST, FIDO2, and iBeta biometrics-certified platform on the market, click here.

The post ‘Spider’ Strikes Britain: The Hacks at M&S, Co-Op & How to Stop Them appeared first on 1Kosmos.

*** This is a Security Bloggers Network syndicated blog from Identity & Authentication Blog authored by Michael Cichon. Read the original post at: https://www.1kosmos.com/authentication/spider-strikes-britain-the-hacks-at-ms-co-op-how-to-stop-them/