Cloud-based communication platform provider Twilio has announced a breach via a social engineering attack on employees.
On August 4, 2022, Twilio says it became aware of unauthorized access to information related to a limited number of Twilio customer accounts, through the social engineering attack which was designed to steal employee credentials.
A number of current and former employees received text messages that appeared to come from Twilio’s IT department. The messages said either the recipient's password had expired, or that their schedule had changed, and that they needed to log in. To increase the credibility of the URLs they contained words including "Twilio," "Okta," and "SSO" (short for single sign-on) to try and trick users to click on a link which led to a fake log in site. At this site, the attacker could intercept the login credentals and use those to access the compromised accounts.
The attackers must have put in some effort to link the Twilio employees to their phone numbers. It seems likely they used data from another breach, or breaches, and searched for Twilio employee names with their phone numbers. It would be easy to assume that it might have been one of the LinkedIn data breaches from 2021, because employer data would be needed, but unfortunately there are many other options to combine data from other breaches.
It certainly does add a layer of credibility to the attack, since most people don’t give their telephone number to just anyone, but their employer would know it.
Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack and a forensics firm was engaged to aid the ongoing investigation.
The text messages originated from US carrier networks, and Twilio says it worked with these carriers to shut down the numbers, and worked with the hosting providers serving the malicious URLs to shut those accounts down. It's possible, however, that the attackers will continue to rotate through carriers and hosting providers to resume their attacks.
Twilio has notified the affected customers. If you were not contacted by Twilio, then it means there is no evidence that your account was impacted by this attack.
By providing employees with mobile devices or allowing them to use personal smartphones for work, organizations have increased the possible number of targets for phishing campaigns.
Since employees’ phones are usually outside of the scope of an organizations security software, protection against this sort of attack is not easy.
The massive use of smartphones, tablets and mobile applications in our daily lives, for personal and professional purposes, turns them into essential tools that we trust maybe a tad too much.
And it’s not just text messages you need to worry about. Social media, messaging apps, and even dating apps have created many other channels to deliver an attack.
Providing your employees with software that blocks malicious text messages and URLs will only be effective against long-running campaigns, so it's likely that this one would have made it through.
The most effective strategy is education. Users need to learn that text messages are to be treated with the same amount of suspicion as unexpected emails. Especially if the text message contains a link.
Stay safe, everyone!