Cloud Customer Accounts Compromised in SMS-Based Attack
A software development company has revealed that 27 of its cloud customers had their accounts compromised in a targeted SMS-based social engineering attack. The company attributed the severity of the breach to a Google Account cloud synchronization feature, referring to it as a “dark pattern.”
The breach unfolded on August 2023, and it did not result in unauthorized access to on-premises or managed accounts.
The attack originated with an SMS phishing attempt aimed at the employees of the company. The threat actors posed as IT team members, instructing recipients to click on a seemingly legitimate link to address a payroll-related issue. One employee fell for the phishing attack, leading to a fake landing page where they unknowingly disclosed their credentials.
In the next phase, the hackers impersonated the IT team by deepfaking the “actual voice” of an employee and called the victim to obtain the multi-factor authentication (MFA) code. The additional one-time password (OTP) token shared over the call allowed the attacker to add their personal device to the employee’s account. This granted them control over the Google account and access to OTPs stored in Google Authenticator.
The fact that the employee had enabled Google Authenticator’s cloud sync feature gave the threat actors elevated access to internal admin systems. Consequently, they took over the accounts of 27 customers in the cryptocurrency industry. The attackers changed the emails and reset the passwords for these users, resulting in significant losses, with one user, reportedly losing nearly $15 million worth of cryptocurrency.
This attack highlights the vulnerability of syncing one-time codes to the cloud, which undermines the “something the user has” factor in authentication. As a countermeasure, users are encouraged to rely on FIDO2-compliant hardware security keys or passkeys to mitigate the risk of falling victim to phishing attacks.
While the exact identity of the hackers remains undisclosed, their tactics resemble those of a financially motivated threat actor, known for employing sophisticated phishing tactics. The use of deepfakes and synthetic media in such attacks has also prompted a warning from the U.S. government, which highlighted their potential use in various malicious activities, including business email compromise (BEC) attacks and cryptocurrency scams.