Retool Attributes Breach That Affected Crypto Users with Google's Authenticator
Retool, a prominent software development company, has recently revealed that 27 of its cloud customers fell prey to a targeted SMS-based phishing attack.
The breach has raised concerns about the security of cloud synchronization features, particularly Google Authenticator’s cloud sync.
Retool Falls Prey to Targeted SMS Phishing Attack
The Aug. 27 attack began with a deceptive SMS phishing campaign directed at Retool’s employees. The malicious individuals pretended to be IT team members and urged recipients to click on a seemingly legitimate link to address a payroll-related problem. One employee fell for this trick and ended up on a fake login page with a multi-factor authentication form where their login credentials were stolen.
Once they had acquired the employee’s login details, they went a step further by contacting the person directly. Using advanced deepfake technology, they convincingly imitated the voice of a member of the IT team and tricked the employee into disclosing the multi-factor authentication code.
The situation took a turn due to the employee’s use of Google Authenticator’s cloud synchronization feature, allowing the attackers to gain access to internal administrative systems. Subsequently, they gained control of the accounts belonging to 27 customers within the cryptocurrency industry.
One of the affected clients, Fortress Trust, suffered a substantial loss, with approximately $15 million worth of cryptocurrency stolen as a result of the breach.