Retool faced an SMS phishing attack exploiting Google Authenticator’s cloud sync, raising concerns about MFA vulnerability.
Key Points
- Retool, a leading software development company, recently suffered an SMS phishing attack targeting its employees.
- The breach escalated due to the employee’s use of Google Authenticator’s cloud synchronization feature.
- The use of deepfake technology in this attack has prompted the US government to issue warnings about the potential abuse of deepfakes.
- Experts recommend reconsidering the use of cloud-synced one-time codes in favor of more secure options like FIDO2-compliant hardware keys.
On August 27, Retool became the target of an elaborate SMS phishing attack that posed severe security concerns regarding the vulnerability of cloud-based multi-factor authentication (MFA).
The attackers sent deceptive messages to Retool employees, pretending to be from the IT department and asking the employees to resolve a payroll issue by clicking on a link.
One employee fell victim to this scam, thereby compromising their login credentials and multi-factor authentication code.
CoinDesk reveals that phishing attack on cloud provider, Retool, led to $15M hack on Fortress Trust pic.twitter.com/pJOJDPDZZy
— Messari (@MessariCrypto) September 13, 2023
The sophistication of the attack escalated when the cybercriminals used advanced deepfake technology to mimic the voice of an IT team member.
This coerced the employee into sharing their MFA code, granting the attackers access to internal administrative systems.
Google Authenticator’s Cloud Sync: A Weak Link?
The incident exposed vulnerabilities related to Google Authenticator’s cloud synchronization feature, which the compromised employee had been using.
This led to the attackers gaining control over the accounts of 27 customers within the cryptocurrency industry.
US Government’s Response
In response to the incident’s use of deepfake technology, the US government has issued a warning about the risks of malicious use of deepfakes, particularly in business email compromise (BEC) attacks and cryptocurrency scams.
Cybersecurity firm Mandiant has suggested that the attackers’ methods are consistent with those of a known, financially motivated threat group, often referred to as Scattered Spider or UNC3944.
They are notorious for utilizing sophisticated phishing techniques.
Kodesh, a cybersecurity expert, has pointed out the dangers of cloud-syncing one-time codes and emphasized the need for more secure authentication methods. He recommends using FIDO2-compliant hardware security keys as a more secure alternative.
Concluding Thoughts
The Retool attack serves as a cautionary tale for the risks involved with SMS-based phishing attacks and cloud-based MFA solutions.
Companies are advised to reassess their security measures, especially in the wake of growing threats from deepfake technology and advanced phishing tactics.
