Retool, a software development company, has revealed that 27 of its cloud customers fell victim to a targeted SMS-based social engineering attack.
This breach was exacerbated by a Google Account cloud synchronization feature introduced in April 2023, which the company has referred to as a “dark pattern.”
Details of the Phishing Attack
According to Snir Kodesh, Retool’s head of engineering, the use of Google Authenticator’s cloud sync introduced a novel attack vector.
What was initially implemented as multi-factor authentication had quietly transitioned to single-factor authentication due to this Google update. The incident occurred on August 27, 2023, coinciding with the company’s transition of logins to Okta.
The attack originated with an SMS phishing attempt targeting Retool employees. Threat actors posed as IT team members, urging recipients to click on a seemingly legitimate link to address a payroll-related issue.
One employee was deceived by this phishing lure, leading them to a fraudulent landing page where they unwittingly shared their credentials.
In the subsequent phase of the attack, the hackers went a step further by calling the employee and employing deepfake technology to mimic the IT team member’s voice.
This tactic enabled them to obtain the multi-factor authentication (MFA) code, crucial for their next move. With this code, the attacker added their own device to the employee’s Okta account, granting them the ability to generate Okta MFA tokens independently. Consequently, the threat actors gained control over an active G Suite (now Google Workspace) session on that device.
The presence of Google Authenticator’s cloud synchronization feature was a pivotal factor in granting the attackers elevated access to internal admin systems, ultimately compromising the accounts of 27 customers within the cryptocurrency industry. Among the impacted users, Fortress Trust reported losses of nearly $15 million in cryptocurrency.
This sophisticated attack highlights the vulnerability introduced by syncing one-time codes to the cloud, potentially undermining the “something the user has” factor in authentication.
It underscores the importance of users relying on FIDO2-compliant hardware security keys or passkeys to defend against phishing attacks.
While the identity of the attackers remains undisclosed, their tactics bear similarities to those of a financially motivated threat actor known as Scattered Spider (aka UNC3944), renowned for their advanced phishing techniques.
According to Mandiant, these threat actors may have leveraged access to victim environments to gather information about internal systems, enabling more tailored phishing campaigns.
U.S. Government Issues Advisory on Deepfakes
Furthermore, the U.S. government has issued a warning regarding the use of deepfakes and synthetic media, cautioning against their potential use in various malicious activities, including business email compromise (BEC) attacks and cryptocurrency scams. This advisory underscores the evolving nature of cyber threats and the need for organizations to remain vigilant in enhancing their security measures.