How a deepfake voice caused a company to be hacked.
Welcome to Cyber Security Today. It’s Monday, September 18th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Last week I did a news story on ITWorldCanada.com about a warning from U.S. cyber authorities that threat actors are using deepfake audio and videos to trick victims. An application development platform called Retool just gave an example of how it was taken advantage of with this technolgy. First, an employee fell for a text pretending to be from the company’s IT support staff about an account issue. The text had a web address that looked like Retool’s internal identity portal. After the employee logged into the fake portal — giving up their username and password — the hacker phoned the staff member with a deepfaked voice similar to a real IT support member’s voice. They asked the victim employee for one of their multifactor authentication codes. That way the attacker could log into the Retool system. Then the attacker added their computing device to the victim’s account for receiving MFA login tokens so they could login at any time.
Let me stop for a minute. This is where security awareness training of employees to detect this kind of scam is vital. No employee should give up a password over the phone or to a link sent to them unless the employee started the communications. As it, they have trouble logging in so they ask for help. In fact, the attacker sent texts to several Retool employees pretending to be from the IT support team. All but one fell for it. That’s lesson two: All a hacker needs is one employee to be suckered and a company could be in trouble. Lesson three is the lengths to which this attacker took to be convincing. Somehow they found out about the layout of the Retool office and were able to tell the victim things to erase any of the victim’s doubts.
The second part of this story is that after getting access to the Retool login authentication system the attacker got into the victim’s Gsuite email account, which was supposed to be protected from compromise through the use of the victim’s Google Authenticator app. It generates MFA codes. How did the attacker get these codes? Because, says Retool, this app’s recent default ability is to save MFA codes to the Google cloud. So the attacker was able to get the Google Authenticator MFA codes for that employee. Retool complains there isn’t an easy way for a user to stop synching MFA codes to the cloud and only allow them to be displayed locally. Ultimately 27 Retool customers had their accounts taken over.
IT managers whose firms use Google Authenticator have to think carefully about allowing cloud synchronization. In a statement to Security Week on the Retool incident, Google says users have a choice whether to synch their codes to the cloud or not.
In other news, TikTok face a US$368 million fine for violating the European Union’s privacy law in the way it handled children’s data. The Irish Data Protection Commission, acting for all EU members, made that announcement Friday. The setting of the fine came after the commission concluded in August that the social media platform’s policies, including a public-by-default setting for content, violated the EU General Data Protection Regulation. TikTok says the commission’s complaints are focused on features and settings that have been changed. Accounts created by those under the age of 16 are now private by default.
Finally, Google has agreed to a US$93 million settlement with the state of California over its location-privacy practices. This came after the Associated Press reported Google continued to track users’ location data even after they opted out of tracking by disabling their location history.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.