Retool Cloud Customers Fall Victim to Targeted SMS Phishing Attack
Retool, a well-known software development company, has recently disclosed that 27 of its cloud customers have been targeted in a phishing attack conducted through SMS messages.
The Attack Details
The attack occurred on August 27 and began with a deceptive SMS phishing campaign directed at Retool’s employees. The attackers posed as members of the IT team and sent messages urging recipients to click on a seemingly legitimate link to address a payroll-related issue. One employee fell for the trick and ended up on a fake login page where their credentials were stolen.
After obtaining the login details, the attackers went further by contacting the employee directly and using deepfake technology to convincingly imitate the voice of an IT team member. They tricked the employee into disclosing the multi-factor authentication code.
Due to the use of Google Authenticator’s cloud synchronization feature by the employee, the attackers gained access to internal administrative systems. As a result, they took control of accounts belonging to 27 customers in the cryptocurrency industry.
Concerns Over Deepfake Technology
The use of deepfake technology in this attack has raised concerns within the US government. A recent advisory highlighted the potential misuse of audio, video, and text deepfakes for malicious purposes, including business email compromise (BEC) attacks and cryptocurrency scams.
Although the identity of the hackers remains unknown, their tactics resemble those used by Scattered Spider (or UNC3944), a financially motivated threat actor known for sophisticated phishing techniques.
Cybersecurity Recommendations
Mandiant, a cybersecurity firm, shared insights into the attackers’ methods, suggesting that they may have used access to victim environments to enhance their phishing campaigns. They created new phishing domains with internal system names, as observed in some cases.
It is important to note the risk associated with syncing one-time codes to the cloud. This compromises the “something the user has” factor in multi-factor authentication. To strengthen security against phishing attacks, it is recommended that users consider using FIDO2-compliant hardware security keys or passkeys.
Hot Take: Phishing Attack Highlights the Dangers of SMS-Based Attacks
The recent phishing attack targeting Retool’s cloud customers serves as a reminder of the dangers posed by SMS-based attacks and the potential misuse of deepfake technology. It emphasizes the need for individuals and organizations to remain vigilant against such threats and take proactive measures to enhance their cybersecurity defenses. By adopting stronger authentication methods, such as hardware security keys, users can better protect themselves from falling victim to phishing attempts and prevent unauthorized access to their sensitive information.