Tuesday, May 21, 2024

Tech News, analysis, updates, comments, reviews

Twilio ‘smishing’ attack compromised around 125 corporate clients, including Signal

A sophisticated SMS attack targeting Twilio employees highlights text-based phishing as a major threat.

Smishing, baby. Communications tool giant Twilio, which provides text and phone services to over 250,000 corporate customers ranging from Facebook to the American Red Cross, suffered a serious breach of its systems after unknown parties bombarded its employees with sham password reset requests via text.

According to Twilio’s incident report, the firm was compromised by what’s known as a “smishing” (SMS phishing) attack on current and former employees—a method that is increasingly being used to target large businesses, as employer oversight of mobile devices is often lax.

In Twilio’s case, the bogus text messages supposedly came from the company’s IT department and informed the workers their company passwords had expired or their schedule had changed. Included in the texts was a URL (including words such as “Twilio,” “Okta,” and “SSO”) that superficially resembled Twilio’s actual login page. Instead, the link led to an attacker-controlled server designed to steal employee credentials. Twilio wrote in the report that the hackers had some method of pairing staff’s identities and roles to their phone number.

“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” Twilio wrote in a status update to the original report on August 11. “There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization.”

An expansive operation.

Cloudflare, a content delivery network and DDoS mitigation company, disclosed this month that it was subject to a near-identical attack around the same time as Twilio. According to Cloudflare, the fake URL page asked users to enter their Cloudflare Okta usernames and passwords, as well as a time-based one-time password (TOTP) code, a form of two-factor authentication. Unknown to the users, the attackers planned to quickly enter the logins and passwords into Cloudflare’s actual system, prompting it to text real codes to the employees that could be collected via the fake page.

Fortunately, Cloudflare reported, just three employees clicked the link. No systems were actually accessed by the hackers, as the company relies on FIDO2-compliant physical security keys rather than TOTP.

Downstream consequences.

According to TechCrunch, encrypted messaging app Signal disclosed this week that the Twilio breach had allowed hackers to access phone numbers and SMS verification codes for around 1,900 users—apparently seeking out three users in particular (one of whom being a Motherboard reporter). Signal said that the attacker proceeded to reregister one of those three accounts, which potentially could have allowed them to impersonate the original number.

That attack was apparently possible because Signal relies on Twilio to transmit its verification codes, and the hackers briefly had access to Twilio’s customer support system. This has troubling implications for any organization relying on SMS authentication to control access, as the third-party vendors that actually handle the requests are a potential weak point in the verification chain.

“What I find frightening goes beyond the implications for Signal. Any platform or service can be manipulated to hand over verification credentials to an attacker,” Freedom of the Press Foundation’s CISO and digital security director Harlo Holmes told Motherboard. “And despite the protections various services put in place to protect our accounts once we’ve been verified, it is at this point when these accounts are the most vulnerable to takeover.”


Please enter your comment!
Please enter your name here

Get notified whenever we post something new!


Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Google I/O 2024 Unveils the Future?

Google I/O 2024 was an impressive showcase of how Google continues to push the envelope with artificial intelligence. This year's event introduced significant advancements across multiple services and platforms, demonstrating Google's commitment to an AI-first future. Below, I try...

On-Premises vs. Cloud Security

As usual, we begin by championing cybersecurity. It stands as the foremost concern for organizations striving to safeguard their sensitive data and digital assets. Among the many strategies available, two dominant paradigms have emerged: on-premises security and cloud security....

Regulation Insights from Starlink’s in Zimbabwe

In recent times, the journey of Starlink, Elon Musk's ambitious satellite internet venture under SpaceX, has been marked by regulatory challenges, particularly in Zimbabwe. Meanwhile the Posts and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) issued a directive instructing Starlink...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.