Explore the website

Get email updates with every new article published

Looking for something?

No posts to display

Explore the website

Get email updates with every new article published

Looking for something?

No posts to display

Sunday, December 22, 2024

Tech News, analysis, updates, comments, reviews

Explore the website

Get email updates with every new article published

Twilio ‘smishing’ attack compromised around 125 corporate clients, including Signal

A sophisticated SMS attack targeting Twilio employees highlights text-based phishing as a major threat.

Smishing, baby. Communications tool giant Twilio, which provides text and phone services to over 250,000 corporate customers ranging from Facebook to the American Red Cross, suffered a serious breach of its systems after unknown parties bombarded its employees with sham password reset requests via text.

According to Twilio’s incident report, the firm was compromised by what’s known as a “smishing” (SMS phishing) attack on current and former employees—a method that is increasingly being used to target large businesses, as employer oversight of mobile devices is often lax.

In Twilio’s case, the bogus text messages supposedly came from the company’s IT department and informed the workers their company passwords had expired or their schedule had changed. Included in the texts was a URL (including words such as “Twilio,” “Okta,” and “SSO”) that superficially resembled Twilio’s actual login page. Instead, the link led to an attacker-controlled server designed to steal employee credentials. Twilio wrote in the report that the hackers had some method of pairing staff’s identities and roles to their phone number.

“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” Twilio wrote in a status update to the original report on August 11. “There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization.”

An expansive operation.

Cloudflare, a content delivery network and DDoS mitigation company, disclosed this month that it was subject to a near-identical attack around the same time as Twilio. According to Cloudflare, the fake URL page asked users to enter their Cloudflare Okta usernames and passwords, as well as a time-based one-time password (TOTP) code, a form of two-factor authentication. Unknown to the users, the attackers planned to quickly enter the logins and passwords into Cloudflare’s actual system, prompting it to text real codes to the employees that could be collected via the fake page.

Fortunately, Cloudflare reported, just three employees clicked the link. No systems were actually accessed by the hackers, as the company relies on FIDO2-compliant physical security keys rather than TOTP.

Downstream consequences.

According to TechCrunch, encrypted messaging app Signal disclosed this week that the Twilio breach had allowed hackers to access phone numbers and SMS verification codes for around 1,900 users—apparently seeking out three users in particular (one of whom being a Motherboard reporter). Signal said that the attacker proceeded to reregister one of those three accounts, which potentially could have allowed them to impersonate the original number.

That attack was apparently possible because Signal relies on Twilio to transmit its verification codes, and the hackers briefly had access to Twilio’s customer support system. This has troubling implications for any organization relying on SMS authentication to control access, as the third-party vendors that actually handle the requests are a potential weak point in the verification chain.

“What I find frightening goes beyond the implications for Signal. Any platform or service can be manipulated to hand over verification credentials to an attacker,” Freedom of the Press Foundation’s CISO and digital security director Harlo Holmes told Motherboard. “And despite the protections various services put in place to protect our accounts once we’ve been verified, it is at this point when these accounts are the most vulnerable to takeover.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

Continue reading

Salesforce Flaw Allows Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications, which could potentially lead to a full account takeover. The flaw was identified during a penetration test and is tied to misconfigurations within Salesforce Communities, specifically within the Salesforce Lightning...

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.

Exit mobile version