Successful Smishing attack against Twilio and Cloudflare
We have already explained smishing schemes [view related posts]. Smishing is like phishing, but uses texting to send malicious code to users’ phones or trick the user into visiting a malicious website to steal their credentials or money. Therefore, the important advice is to be wary of texts from strangers encouraging you to click on links embedded in the text.
Smishing schemes can be sophisticated, which is how Twilio describes the successful smishing attack against him that was discovered on August 4, 2022. According to Wikipedia, Twilio “provides programmable communication tools to make and receive phone calls, send and receive text messages, and perform other communication functions using its web service APIs.” It is ironic that Twilio, a communications platform, fell victim to a smishing attack.
According to Twillio,
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This attack large scale against our employee base managed to trick some employees into providing their credentials.The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data….
“Specifically, current and former employees have recently reported receiving text messages claiming to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL controlled by the attacker. The URLs used words such as “Twilio”, “Okta”, and “SSO” to try to trick users into clicking a link that took them to a landing page that mimicked Twilio’s login page. The text messages came from US carrier networks. We have worked with US carriers to shut down the actors and with the hosts serving the malicious URLs to shut down those accounts. Additionally, the threat actors appeared to have sophisticated abilities to match the names of the sources’ employees with their phone numbers.
The data of 125 customers was affected by the attack and Twilio is working directly with these customers.
Right after Twilio announced that he had been affected by the smishing incident, Cloudfare publicly announced on August 9, 2022, that he too. had been the target of a similar attack. According to its website, Cloudfare “started as a simple app to find the source of email spam. From there, it evolved into a service that protects websites from all kinds of attacks, while simultaneously optimizing performances. “
Cloudfare said he had been targeted by a similar smishing scheme and used the experience to educate others about the incident in his blog post: “The mechanics of a sophisticated phishing scam and how we stopped it.” Cloudfare acknowledged that “around the same time Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudfare employees” and, while some of its employees fell in love with the messages, it used its own products to stop the attack. Although a bit selfish, the fact is that Internet Service Providers (ISPs) and other communication providers were being targeted by smishing attacks simultaneously, which is obviously concerning.
Cloudfare says, “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be susceptible to hacking. Since the attacker is targeting multiple organizations, we wanted to share an overview of exactly what we saw here to help other companies recognize and mitigate this attack. Very helpful Cloudfare, and thanks for sharing details so that other organizations can be aware of how the program works and put measures in place to prevent a similar attack. This is the value of sharing information. Cloudfare’s attack breakdown is excellent, and readers may want to review it and use it as a tool to educate their users about smishing attacks and why they are often so successful.
Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 223