Multi-Layered Attack: SMS, Fake Website, Deepfake Voice

This is a classic example of a multi-layered attack scheme. At its core lies a spear-phishing SMS asking a specific engineer to visit a certain website and update the health insurance system, a common administrative task [1].

The web page redirected to was a deepfake copy of the internal Okta portal. The engineer entered his credentials there. Ordinarily, this wouldn’t have been enough as all of the systems required MFA.

This is where the deepfake part comes in. The attacker called the engineer, mimicking a friend from IT, and asked to confirm MFA token over the phone. The engineer gave it [2].

Once inside, the attacker used the platform’s internal systems and compromised 27 customer crypto accounts.

Why this Case Makes Us Pay Attention to Google Authenticator

In its post-mortem report, Retool identified a specific security problem with Google Authenticator: its cloud sync. In case a malicious actor obtains access to a victim’s Google account, he also gains access to his MFA tokens without any need to have the phone in his hands [3].

This Google Authenticator function exists for the user’s sake: it allows syncing tokens between devices. This case proved that it can also serve an attack vector against businesses.

What This Means for Multi-Factor Authentication

The Retool attack shattered one of the strongest security assumptions: that Multi-Factor Authentication is enough.

Multi-factor authentication makes sure that a computer or application cannot break into the account. It does nothing against an attack in which a person gets manipulated into giving away the token [4].

Spear-phishing + fake web page + deepfake voice + MFA bypass attack is real. Retool was one of the first to document it. Not the last.

MFA didn’t work for us. We needed a person that recognized the fake voice. Unfortunately, scammers specifically design deepfake voices to deceive exactly such a person.

— Retool post mortem, September 2023

How SYNHAWK Protects Against This Type of Attack

SYNHAWK PROTECTION: HAWK 7, SYNHAWK’s foundational model for audio, analyzes the audio stream in real-time and detects deepfake voice attacks while they are happening. When deployed in the call center environment or the Unified Communication system, it triggers alerts or terminates calls automatically as soon as it detects deepfakes. The Retool incident would have been prevented during the third step: sharing the MFA token.