In a recent cybersecurity incident that sent shockwaves through the IT community, a hacker employed AI technology to orchestrate a breach at Retool, an IT services company based in Brisbane, Australia. This breach impacted 27 of Retool’s cloud clients. The attack began with the hacker sending SMS messages to several Retool employees, posing as a member of the company’s IT team, and claiming to address a payroll issue affecting employees’ healthcare coverage. Most employees recognized the phishing attempt, but one unsuspecting employee clicked on a provided URL, leading them to a deceptive login portal.
Once inside the fake portal, the hacker initiated a phone call using AI-powered deepfake technology, imitating the voice of a genuine IT team member. This voice was eerily accurate, demonstrating knowledge of the company’s office layout, employees, and internal processes. The targeted employee grew increasingly suspicious during the conversation but inadvertently provided the hacker with an additional multi-factor authentication (MFA) code. This access allowed the attacker to add their device to the employee’s account and pivot toward accessing the employee’s GSuite account, with the incident underscoring the risks associated with cloud syncing in multi-factor authentication. While Retool has since revoked the hacker’s access, they have urged Google to enhance the security of its Authenticator app and make it easier for organizations to disable cloud syncing. This incident serves as a stark reminder of the importance of vigilance and robust security measures in today’s interconnected digital landscape.