Twilio client, employee accounts compromised by SMS phishing attack

An unknown attacker compromised certain credentials belonging to employees of customer engagement company Twilio via an SMS phishing campaign, and then gained access to certain customer data via Twilio’s internal systems, the company announced on Monday. .

Twilio discovered the compromise on August 4 and began investigating and later discovered that some of his employees and former employees had received text messages claiming to be from the company’s IT team informing them that their credentials had expired or their hours had changed. The messages contained a short link, and Twilio officials said the attackers used several different mobile carriers in the United States and used a rotating menu of URLs in the messages.

“This large-scale attack against our employee base successfully tricked some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” Twilio officials said in a statement. blog post Monday.

Twilio did not specify how many customer accounts were compromised or what type of data the attackers were able to access, but said they were in the process of notifying all affected customers.

The tactics used by the attackers in this campaign are well known and used by cybercrime groups in large scale campaigns as well as more targeted attacks. Text phishing attacks have become more popular among attackers for several reasons, including the fact that there is typically less information in a text phishing message for a user to assess and determine if the message is genuine or malicious. Phishing emails are easier to review and have more context and clues. Texts sent to current and former Twilio employees were just a short sentence and then a short clickable URL.

Effective protection against phishing attacks like this is to deploy hardware security keys as a second authentication factor. Hardware security keys are phishing resistant and quite difficult for attackers to bypass.

“Specifically, current and former employees have recently reported receiving text messages claiming to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL controlled by the attacker. The URLs used words such as ‘Twilio’, ‘Okta’ and ‘SSO’ to try to trick users into clicking a link that took them to a landing page that mimicked Twilio’s login page,” the post reads. by Twilio.

“The text messages originated from the US carriers’ networks. We worked with the US carriers to shut down the actors and with the hosts serving the malicious URLs to shut down those accounts. Additionally, the threat actors appeared to have sophisticated capabilities to match the names of the source employees with their phone numbers.

Twilio officials said they have worked with other companies targeted by similar text-based phishing campaigns to work with mobile carriers and hosting providers to disable the infrastructure used by attackers. However, attackers frequently changed mobile phone numbers and URLs.

“Based on these factors, we have reason to believe that threat actors are well-organized, sophisticated and methodical in their actions. We have not yet identified the specific threat actors at work here, but we have been liaising with law enforcement in our efforts,” the company said.

Comments are closed.