AI-Generated Employee Voice Used in Hack of IT Company

Last month, Retool, a company specializing in developing business applications for clients, fell victim to a cyberattack. As a result, 27 of the company’s cloud customers were affected.

The hacker began the attack by sending several Retool employees SMS messages, pretending to be a member of the IT team and claiming to resolve issues with payroll and health insurance. Most recipients ignored the phishing message, except for one employee.

This unsuspecting employee clicked the URL in the message, which redirected them to a fake login portal. After logging in, the employee received a phone call from someone using an AI-generated voice that mimicked a real employee’s voice. During the call, the hacker, posing as an IT team member, demonstrated knowledge of the office layout, coworkers, and internal company processes. Although the employee became suspicious during the conversation, they still provided the attacker with an additional multi-factor authentication (MFA) code.

This incident suggests that the attacker may have already gained partial access to Retool’s resources before the call. After obtaining the MFA code, the hacker added their own device to the employee’s account and accessed their GSuite account.

Cloud Sync Feature Increases Risk

The situation was made even more dangerous by a recent update to Google Authenticator, which added a cloud sync feature. This means MFA codes can now be viewed on multiple devices linked to the same account.

Retool emphasized the seriousness of the issue: “If your Google account is compromised, your MFA codes are also at risk.” According to the company, access to the Google account is what allowed the attacker to breach internal systems.

Retool has since revoked the hacker’s access but chose to disclose the incident to warn other companies. They also urged Google to change its authenticator app so that organizations can easily disable cloud sync for their employees. Google has not yet commented on the situation.