Aug 10 — The communications platform known as Twilio recently disclosed that a sophisticated threat actor gained unauthorized access to private data via an SMS-based phishing campaign. Twilio described the attack as “well organized” and “methodical.”
What is Twilio?
Twilio is an American firm that provides programmable communications tools for making and receiving phone calls, sending and receiving text messages and the performance of other functions via its web service APIs. The company retains more than 5,000 employees across 17 countries, and its 2021 revenues exceeded $2.8 billion USD.
Twilio attack details
Fraudulent messages impersonated the IT department, and the content informed the employees that their login credentials had expired, or that their work schedule was due to change, and employees were persuaded to log into a URL controlled by an attacker.
The URL in the message included words such as “Twilio,” “Okta,” and “SSO” in an effort to gain employees’ acceptance and trust of the malicious link. The link transported employees to a landing page that appeared to be a malicious clone of Twilio’s real sign-in page.
Twilio is aware of similar attacks that have affected other companies and the firm is collaborating with phone service providers in order to stop these types of malicious text-based cyber attacks. However, take down efforts have been offset due to attackers migrating to other carriers and hosting providers.
Aggressive phishing schemes
Both SMS and email phishing schemes are known to leverage aggressive scare tactics in attempts to coerce victims into handing over sensitive information.
The Twilio disclosure arrives shortly after it emerged that the $620 million Axie Infinity hack occurred on account of an employee falling for a fraudulent job offer on LinkedIn.
According to the web performance and security company Cloudflare, several of its employees’ credentials were also recently stolen in an SMS phishing attack. Evidently, the attack took a similar form to the one that affected Twilio’s network.
“Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees,” explained a Cloudflare company spokesperson.
The phishing messages were distributed to 76 Cloudflare employees and their families from T-Mobile phone numbers that directed targets to a Cloudflare Okta login page that appeared to be hosted on the cloudflare-okta.com domain.