There are sophisticated smishing schemes threat actors have started leveraging these days; that is how Twilio described the successful smishing attack that targeted its employees on August 4, 2022. Read on to know how attackers targeted the programmable communication tools provider and stole employee credentials.
The US-based Cloud communications enterprise Twilio admitted a data breach recently, saying that the attackers stole its employees’ credentials through an SMS phishing attack (Smishing) and entered its internal systems. Twilio owns the popular two-factor authentication (2FA) platform Authy.
It released a statement over the weekend that it became aware of unauthorized information access to limited Twilio customer accounts using a sophisticated social engineering attack that hackers designed to steal employee credentials.
What is Smishing?
Smishing is a phishing attack that malicious actors carry out over mobile text messaging, also known as SMS phishing. It is a phishing variant where the victims get deceived into sharing sensitive information with a malicious actor. SMS phishing can get assisted by fraudulent websites or malware. It occurs through mobile text messaging platforms and non-SMS channels, for example, data-based messaging apps.
Cybercriminals launch such attacks to steal the victim’s data, which they use to commit cybercrimes or fraud. Typically, it includes stealing money – from the victim or their company.
Twilio became aware of a sophisticated social engineering attack on August 4, 2022, that targeted a few of its customer accounts by stealing employee credentials. The attack succeeded in fooling the employees into sharing their credentials. The cybercriminals used the stolen credentials, gained access to Twilio’s internal systems, and accessed certain customer data. Twilio released a statement that they worked directly with the customers affected by this incident.
- Some former and current employees reported receiving texts from Twilio’s IT department.
- The text messages suggested that the employee’s schedule had changed or their passwords had expired, and they needed to log in to a malicious URL.
- The URLs looked genuine as they included words like “Okta,” “Twilio,” and “SSO,” which tricked the users into clicking on the links.
- Clicking on the malicious link took the victim to an impersonated Twilio’s sign-in page.
- Additionally, the cybercriminals used sophisticated abilities to match employee names with their phone numbers.
What Were the Results of the Breach?
Twilio stated that it is continuing its investigation and that the security and trust of the customers are its top priorities. Additionally, it shared the following updates:
- Twilio identified that the malicious actors accessed the data of approximately 125 Twilio customers for a limited time, and they notified all of them.
- It stated there was no evidence that hackers accessed customer API keys, passwords, or authentication tokens without authorization.
Twilio confirmed that its information security team is working diligently to share details with impacted customers. If a customer had not received a communication from Twilio, there is no evidence of their account getting targeted in this attack. Furthermore, Twilio added that the investigation was ongoing, and if they identified any additional impacted customers, they would get in touch with them.
What Steps Did Twilio Take to Control the Damage?
After confirming the incident, Twilio’s security team revoked the compromised employee accounts’ access to mitigate the attack. It engaged a leading forensics firm to aid the ongoing investigation.
Furthermore, Twilio said they have redesigned their security training to ensure employees remain alert for social engineering attacks. Additionally, they issued security advisories explaining the specific tactics malicious actors utilize and instituted mandatory awareness training on such attacks.
How to Protect Against Smishing?
A user can keep in mind a few things that can help protect them and their organization against these attacks.
- Do not respond: Responding to text messages with “STOP” to unsubscribe can help attackers identify active phone numbers. They depend on the user’s anxiety or curiosity over the situation, but one can refuse to engage.
- Slow down if a message seems urgent: One should approach limited-time offers and critical account updates as red flags of possible smishing. Choose to remain skeptical and proceed carefully.
- Call your merchant or bank directly if doubtful: Legitimate institutions will never request login info or account updates via text. Furthermore, users can verify any urgent notices directly on their online accounts or by calling an official phone helpline.
- Avoid using any contact info or links in the message: Instead, one can visit the official contact channels directly when possible.
- Check the phone number: Users must be careful of odd-looking phone numbers, like the 4-digit ones, which are evidence of email-to-text services. It is a common tactic that cybercriminals utilize to mask their phone numbers.
- Never store credit card numbers on your mobile: The safest way to keep financial information from getting stolen from a digital wallet is never to store it there.
- Use multi-factor authentication (MFA): Smishing actors may not find an exposed password useful if the account they want to breach requires a second “key” for verification. Multi-Factor Authentication’s (MFA’s) most common variant is two-factor authentication (2FA), which requires a text message verification code.
What are the Experts Saying?
The Cyber Wire received comments on the incident from several security experts.
Jeannie Warner (Director, product marketing at Exabeam): “There are many commercial and public data providers offering blacklisting databases or services for potential phishing URL/domain lookups. However, security teams cannot identify newly-crafted phishing URLs this way. Frequently targeted industries like communication and technology providers must consider the latest machine learning (ML) approaches which can flag a suspicious phishing URL previously undetected by the blacklist data providers.”
Tim Prendergrast (CEO, strongDM): “The Twilio breach that gave attackers access to customers’ data highlighted how crucial strong infrastructure and access management is to maintain strong security. Cybercriminals continuously look for ways into internal systems as it gives them a VIP pass into servers and databases and access to information organizations don’t want to be leaked publicly. Thus, CISOs must re-evaluate access control and visibility across infrastructure and applications.”
Neil Jones (Director, Cybersecurity Evangelism, Egnyte): “The alleged attack on digital authentication provider Twilio is a grim reminder that enterprise security programs are as strong as their weakest links. Additionally, anti-phishing education, cybersecurity awareness training, and restricted access to organizational data on a ‘Need to Know basis are powerful deterrents.”
Erfan Shadabi (Cybersecurity Expert, Comforte AG): “Adopting a Zero Trust framework is the best approach to mitigate such attacks. It means assuming you are breached already, providing no implicit trust, verifying repeatedly, and providing minimal privileges after successful authentication and cybersecurity.”
Many data breaches in the past few months have a common factor – human error. The Twilio attack highlights how ‘smishing’ and social engineering tactics can lead to fraudulent account access and negatively impact a brand’s reputation. It also demonstrates how users are still unaware of how today’s threat actors operate, which makes mobile-based attacks more impactful to end-users. Positive trends like Zero Trust architectures, supported by data-centric protection methods (safeguarding the data rather than the borders), are the need of the hour!