Retool is a large provider of low-code software solutions: “Companies use Retool for building everything: simple CRUD apps, production-grade workflows and automation, and complex enterprise ops software.”
After an attack that penetrated 27 of Retool’s cloud customers in August, the company posted a frank and unusually detailed account of the social engineering and software that enabled the hack. It includes the actual SMS text used to trick a Retool employee.
“The following is a transcription of the message:
Hello A, This is B. I was trying to reach out in regards to your [payroll system] being out of sync, which we need synced for Open Enrollment, but i wasn’t able to get ahold of you. Please let me know if you have a minute. Thanks
You can also just visit https://retool.okta.com.[oauthv2.app]/authorize-client/xxx and I can double check on my end if it went through. Thanks in advance and have a good night A.
After logging into the fake portal – which included a MFA form – the attacker called the employee.
The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.”