A hacker has breached security in an IT company by using an Artificial Intelligence (AI) voice hack. The hacker started their attack by sending several employees SMS-based text messages. The texts claimed to be from a member of the company’s IT team reaching out to resolve a payroll issue. Most employees who received the phishing attempt ignored the message. However, one recipient did click on a link in the message that took them to a fake login page. This landing page included a form in which to enter all the login details, including multifactor authentication codes!

After the employee logged into the fake page, the hacker called them using an AI-powered “deepfake” of another employee’s voice. Seemingly familiar with the office layout, workers’ names, and company processes, the hacker proceeded to converse with the employee. The hacker was able to convince the employee to give them an additional multi-factor authentication (MFA) code at which the employee became suspicious.

With the MFA code, the hacker was able to add their own device to the employee’s account and then access their Google Suite (GSuite) account. This was particularly damaging because Google’s Authenticator app had recently incorporated a cloud syncing function, which means that MFA codes can be viewed on more than one device.

With the employee’s Google account compromised the hacker was then able to access the employee’s GSuite. Once a Google account is compromised then so too are all the MFA codes.

Retool, the IT company that was the victim of the hack, said of the incident:

“The fact that access to a Google account immediately gave access to all MFA tokens held within that account is the major reason why the attacker was able to get into our internal systems.”

Google has not yet responded to a request for comment on whether it plans to change its authenticator app to make it easier for companies to disable the cloud-syncing function for their employees.

How to Protect Your Company from Similar Attacks

Retool has since revoked the hacker’s access, but the incident is a clear reminder that social engineering attacks are a very real and credible threat. Organisations can protect themselves from similar attacks by:

• Educating employees about social engineering and phishing attacks.
• Using strong passwords and MFA for all accounts.
• Disabling cloud syncing for MFA codes, if possible.
• Having a plan in place to respond to security breaches.

The hacked IT company, Retool, is also urging Google to change its authenticator app to make it easier for companies to disable the cloud-syncing function for their employees.

AI companies also bear a responsibility and should step-up their own systems to assist IT companies in AI-powered voice recognition for the detection of deepfake and AI voice hack attempts.