The Pcmag website has revealed that a hacker used artificial intelligence to deeply fake an employee's voice to hack into IT company Retool, leaving 27 cloud customers caught up in a cybersecurity incident.
The hackers initially sent phishing text messages to multiple Retool employees, claiming to be Retool IT team members and offering to resolve a payroll issue where employees were unable to obtain health insurance. Most Retool employees did not respond to the phishing messages, with the exception of one employee, which triggered the cyberattack.
According to information shared by Retool, the unsuspecting employee clicked on a URL in the text message that redirected him to a fake Internet portal. After logging into the portal, which included a multi-factor authentication form, the cyberattacker called the employee using AI-driven deep forgery techniques in the real voice of a Retool employee, a "voice" whose owner was familiar with the office floor plan and internal processes. The owner of the "voice" was familiar with the office floor plan, coworkers, and internal company processes.
It's worth noting that throughout the conversation, although the victimized employee expressed skepticism about the call several times, he unfortunately ended up providing an additional multi-factor authentication (MFA) code to the attackers.
It can be seen that the cyber attacker may have infiltrated the Retool to some extent before calling the victimized employee. Once the multi-factor code is abandoned, the cyber attacker adds his device to the employee's account and moves to accessing his GSuite account.
Retool says that because of the recent introduction of cloud synchronization in the Google Authenticator app, which facilitates access to multi-factor authentication codes in the event that a phone is lost or stolen, Retool notes that if a user's Google account is compromised, so is his or her MFA code."
Retool further points out that accessing a Google account gives immediate access to all MFA tokens in that account, which is the main reason why cyber attackers are able to access internal systems. Social engineering is a very real and believable medium of cyber-attacks, and any organization or individual can be targeted, and if the physical organization is large enough, there will be employees who will unknowingly click on links and be phished.
Finally, although Retool has now disabled the cyber attacker's access, the decision was made to publicize the security incident in order to warn other companies from similar attacks.