Retool, a well-known software development company, recently disclosed that 27 of its cloud customers have fallen victim to a targeted SMS-based phishing attack. This incident has raised concerns regarding the security of cloud synchronization features, particularly Google Authenticator’s cloud sync.
The attack, which occurred on August 27, began with a deceptive SMS phishing campaign aimed at Retool’s employees. The attackers posed as members of the IT team and urged recipients to click on a seemingly legitimate link to address a payroll-related issue. Unfortunately, one employee fell for the trick and ended up on a fake login page where their login credentials were stolen.
After obtaining the employee’s login details, the attackers took it a step further by directly contacting the person. Utilizing advanced deepfake technology, they convincingly imitated the voice of an IT team member and deceived the employee into disclosing the multi-factor authentication code.
The situation worsened due to the employee’s use of Google Authenticator’s cloud synchronization feature, which allowed the attackers to gain access to internal administrative systems. As a result, they took control of the accounts belonging to 27 customers within the cryptocurrency industry. One of the affected clients, Fortress Trust, suffered significant losses, with approximately $15 million worth of cryptocurrency stolen.
The use of deepfake technology in this attack has raised concerns within the U.S. government. A recent advisory issued a warning regarding the potential misuse of audio, video, and text deepfakes for malicious purposes, including business email compromise attacks and cryptocurrency scams.
While the identity of the hackers remains undisclosed, their tactics resemble those of a financially motivated threat actor named Scattered Spider or UNC3944, known for their sophisticated phishing techniques. Cybersecurity firm Mandiant shared insights into the attackers’ methods, stating that they may have used access to victim environments to enhance their phishing campaigns. This involved creating new phishing domains with internal system names, as observed in some cases.
In light of this incident, experts emphasize the risk of syncing one-time codes to the cloud, compromising the “something the user has” factor in multi-factor authentication. They suggest considering the use of FIDO2-compliant hardware security keys or passkeys to strengthen security against phishing attacks.
– “The situation took a turn due to the employee’s use of Google Authenticator’s cloud synchronization feature, allowing the attackers to gain access to internal administrative systems.”
– “The use of deepfake technology in this attack has prompted concern within the U.S. government. A recent advisory warned about the potential misuse of audio, video, and text deepfakes for malicious purposes, such as business email compromise attacks and cryptocurrency scams.”
– “Mandiant stressed the importance of this incident, emphasizing the risk of syncing one-time codes to the cloud…He suggested that users consider using FIDO2-compliant hardware security keys or passkeys to strengthen security against phishing attacks.”
– “High-Profile Whale Loses Over $24M in Crypto Phishing Attack, Report.” CryptoPotato, https://cryptopotato.com/high-profile-whale-loses-over-24m-in-crypto-phishing-attack-report/.
– “Is Ripple Under Attack? Community Member Reveals Signs of Coordinated XRP Offensive.” CryptoPotato, https://cryptopotato.com/is-ripple-under-attack-community-member-reveals-signs-of-coordinated-xrp-offensive/.
– “CoinEx Invites Hackers to Negotiate, Promises Bug Bounty Reward.” CryptoPotato, https://cryptopotato.com/coinex-invites-hackers-to-negotiate-promises-bug-bounty-reward/.
– Mandiant. “UNC3944: SMS Phishing, SIM Swapping, Ransomware?” Mandiant, https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware.
❗Follow us on Twitter to get all the latest crypto news as soon as they're out! 🚀