Skip to content
Active Currencies: 17,355
Market Cap: $2.193T
Bitcoin Dominance: 55.92%
24h Market Cap Change: $-2.91

Crypto worth $15 mln at risk amidst phishing attack on software provider

Retool thwarted a spear phishing attack by promptly taking swift actions and timely intervention against the hack.

Written by Written by Saman Waris
Reviewed by Reviewed by Saman Waris
Updated September 14, 2023
Crypto worth $15 mln at risk as software provider falls to phishing attack
  • The attacker altered user emails and reset passwords on Retool, affecting 27 accounts.
  • However, Retool’s on-premise customers remained unaffected by the attack.

Retool, a prominent software platform, fell victim to a spear phishing attack on 27 August, putting cryptocurrency worth $15 million at risk. While it led to unauthorized access for some cloud customers, Retool promptly took action to address the breach.

The attacker exploited an SMS-based phishing attack, targeting Retool employees. By sending fraudulent texts, the attacker posed as a member of the IT team, claiming to address an issue related to payroll systems and open enrollment, thus leveraging a critical point of concern for employees: healthcare coverage.

The timing coincided with the migration of logins to Okta, and the message contained a URL that mimicked Retool’s internal identity portal.

Unmasking deceptive tactics in the attack

While most employees refrained from engaging with the text, one unfortunate employee clicked on the link, leading to a fake portal, complete with multi-factor authentication (MFA) prompts.

Subsequently, the attacker initiated a phone call with the employee, using a deepfake voice that resembled a Retool IT team member. During the conversation, the employee grew increasingly suspicious, but still shared an additional MFA code.

This additional code allowed the attacker to add their device to the employee’s Okta account. Adding the device granted them access to an active GSuite session.

Notably, Google had recently introduced a feature that syncs MFA codes to the cloud, potentially compromising security. The attacker capitalized on this vulnerability, enabled by Google’s dark patterns that encouraged MFA code syncing.

The breach’s impact extended to Retool’s internal systems, including VPN and admin systems, enabling an account takeover attack on specific customers, primarily from the crypto industry.

The attacker altered user emails and reset passwords, affecting 27 accounts in total.

Upon discovering the breach, Retool took swift action. It revoked all internal authenticated sessions, securing affected accounts, notifying impacted customers, and restoring their accounts to their original states.

Remarkably, Retool’s on-premise customers remained unaffected, as the on-premises system operates independently of Retool’s cloud environment.

The company confirmed that it was actively collaborating with law enforcement and a third-party forensics firm to investigate the breach.

Disclaimer: AMBCrypto's content is meant to be informational in nature and should not be interpreted as investment advice. Trading, buying or selling cryptocurrencies should be considered a high-risk investment and every reader is advised to do their own research before making any decisions.

Saman Waris

Editor

Saman Waris works as a Senior News Editor at AMBCrypto. She has always been fascinated by how the tides of finance and technology shape communities across demographics. Cryptocurrencies are of particular interest to Saman, with much of her writing centered around understanding how ideas like Momentum and Greater Fool theories apply to altcoins, specifically, memecoins.

Related Articles

AMBCrypto
Facebook X Instagram Youtube Linkedin

AMBCrypto was founded in 2018 with a mission to simplify and bring the latest blockchain and cryptocurrency news to our readers. We have quickly grown into the digital news source for an emerging generation of cryptocurrency enthusiasts, reaching more than a million readers on a monthly basis, across the globe.