Investing.com - Financial Markets Worldwide

Crypto worth $15 mln at risk amidst phishing attack on software provider

Published 14-09-2023, 07:30 pm
© Reuters. Crypto worth $15 mln at risk amidst phishing attack on software provider
GOOGL
1.09%

  • The attacker altered user emails and reset passwords on Retool, affecting 27 accounts.
  • However, Retool’s on-premise customers remained unaffected by the attack.
Retool, a prominent software platform, fell victim to a spear phishing attack on 27 August, putting cryptocurrency worth $15 million at risk. While it led to unauthorized access for some cloud customers, Retool promptly took action to address the breach.

The attacker exploited an SMS-based phishing attack, targeting Retool employees. By sending fraudulent texts, the attacker posed as a member of the IT team, claiming to address an issue related to payroll systems and open enrollment, thus leveraging a critical point of concern for employees: healthcare coverage.

The timing coincided with the migration of logins to Okta, and the message contained a URL that mimicked Retool’s internal identity portal.

Unmasking deceptive tactics in the attack While most employees refrained from engaging with the text, one unfortunate employee clicked on the link, leading to a fake portal, complete with multi-factor authentication (MFA) prompts.

Subsequently, the attacker initiated a phone call with the employee, using a deepfake voice that resembled a Retool IT team member. During the conversation, the employee grew increasingly suspicious, but still shared an additional MFA code.

This additional code allowed the attacker to add their device to the employee’s Okta account. Adding the device granted them access to an active GSuite session.

Notably, Google (NASDAQ:GOOGL) had recently introduced a feature that syncs MFA codes to the cloud, potentially compromising security. The attacker capitalized on this vulnerability, enabled by Google’s dark patterns that encouraged MFA code syncing.

The breach’s impact extended to Retool’s internal systems, including VPN and admin systems, enabling an account takeover attack on specific customers, primarily from the crypto industry.

The attacker altered user emails and reset passwords, affecting 27 accounts in total.

Upon discovering the breach, Retool took swift action. It revoked all internal authenticated sessions, securing affected accounts, notifying impacted customers, and restoring their accounts to their original states.

Remarkably, Retool’s on-premise customers remained unaffected, as the on-premises system operates independently of Retool’s cloud environment.

The company confirmed that it was actively collaborating with law enforcement and a third-party forensics firm to investigate the breach.

Latest comments

Install Our App
Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2025 - Fusion Media Limited. All Rights Reserved.