A recent wave of cyberattacks against major retail organizations is being linked to the threat group Scattered Spider, a highly active cybercrime outfit known for its social engineering prowess and connection to the ALPHV/BlackCat ransomware cartel. Investigators suggest that the group orchestrated a clever scheme by hijacking Google Alerts to distribute malicious links tailored to deceive specific personnel within targeted organizations.

This campaign is part of a broader trend in which sophisticated cybercriminals repurpose legitimate technologies to sidestep traditional cybersecurity defenses.

The use of Google Alerts, a widely trusted and automated content notification tool, not only demonstrates the group’s ingenuity but also underscores the need for companies to reassess what constitutes a secure digital environment.

Why It Matters: By co-opting familiar tools like Google Alerts, Scattered Spider is exploiting trust in mainstream technologies to bypass technical defenses and reach their targets directly. This strategy reflects an evolution in cybercrime, where psychological manipulation is prioritized over brute-force tactics. For the retail sector, which handles enormous amounts of sensitive data, this presents a renewed imperative to invest in proactive detection and employee awareness measures.

• Scattered Spider’s Focus on Retail Signals High-Value Targeting: The cybercriminal group’s latest campaign appears to specifically target retail companies, which are rich in customer data and often under pressure to maintain uptime. By focusing on this sector, Scattered Spider is likely attempting to extract maximum financial gain with minimal resistance, capitalizing on the intense operational demands and often-overlooked security vulnerabilities unique to retail environments.

• Exploiting Google Alerts to Deliver Malicious Content: Attackers created fake blog posts or news articles embedding phishing links and used relevant brand names and keywords to ensure the content would trigger Google Alerts for company employees. Once recipients clicked the links thinking they were seeing legitimate mentions of their employer, they were redirected to phishing sites designed to harvest credentials or install malware, all under the guise of familiar, Google-branded communication.

• Ties to ALPHV/BlackCat Expand Threat Capabilities: The suspected affiliation with ALPHV/BlackCat, a major ransomware-as-a-service operation, means Scattered Spider can draw upon a vast infrastructure of malicious tools, encryption mechanisms, and extortion strategies. This partnership likely enhances the group’s technical reach and monetization potential, making them more dangerous than an isolated cybercriminal cell.

• Leveraging Trust in Everyday Technology to Evade Detection: Rather than breaching firewalls or exploiting server-side vulnerabilities, Scattered Spider’s campaign bypasses traditional defenses by exploiting human trust. Google Alerts, typically used for market monitoring or brand tracking, becomes the vector for social engineering. This approach not only increases click-through success rates but also delays detection, since the alert originates from a legitimate platform.

• Urgent Need for Human-Centric Security Measures: The campaign highlights the necessity for organizations to broaden the scope of cybersecurity awareness training. Employees need to be alerted to the fact that even trusted services like Google Alerts can be misused. In addition, companies must adapt detection protocols to look for indicators of abuse that might come from “good” tools behaving in unusual ways, rather than just blocking “bad” tools outright.

Go Deeper -> Google says hackers behind UK retail cyber campaign now also targeting US – The Record