[German]Cloud communications company Twilio has recently fallen victim to a cyberattack, according to recent media reports (here and here). The attackers penetrated some of the company's customer databases after stealing employee credentials via an SMS phishing attack. The Lookout, Inc, research team took a closer look at this attack campaign and was able to determine some extremely important information thanks to the Lookout dataset.
Advertising
With more than 5,000 employees in 26 offices in 17 countries, Twilio provides programmable voice, text, chat, video and email APIs. More than ten million developers and 150,000 companies use them to build customer engagement platforms. Twilio became aware of unauthorized access to information on August 4, 2022, limited to a small number of customer accounts.
Attackers active for months
infrastructure appears to have been active since May or June of this year. Based on observed activity, the attackers have targeted employees of companies in telecommunications (T-Mobile and Rogers), customer service (Quaifon, Iqor, TTEC and Medallia), social media (TaskUs and Twitter) and others such as Twilio, Intuit and Okta. "Based on the phishing domains we observed, it appears the attacker was able to gain access to the company's infrastructure by triggering the multifactor authentication (MFA) solution," said Savio Lau, staff security intelligence researcher at Lookout.
Protection against mobile phishing attacks
Protection against mobile phishing attacks should be an important part of any organization's overall security strategy. Attackers are able to create convincing phishing campaigns that attempt to manipulate employees of specific companies. It is becoming increasingly difficult to distinguish these attacks from legitimate communications. The attackers are also becoming more capable, largely because phishing kits are readily available in the rapidly growing malware-as-a-service market. Kits sold on this market are equipped with advanced features and make it easy for even inexperienced attackers to carry out complex campaigns.
Social engineering phishing campaigns usually have small warning signs, but they are easy to miss – especially on mobile devices. In this case, for example, the attackers are able to activate the MFA solution of the affected employee. But an immediate tell-tale sign of the attack is that the location on the notification is incorrect (see figure).
"Employees should always be extremely cautious when they receive messages asking them to verify their credentials. By taking a few extra seconds to look for clues that may indicate malicious intent, they can save their company from a harmful data breach," Savio Lau said.
Advertising
Companies should also ensure they protect themselves and their employees from mobile phishing attacks. This is especially true since they can occur through channels such as SMS, social media and third-party messaging platforms like WhatsApp, which are not always under the control of the IT or security team.
Mobile phishing is the most common method for attackers to steal employee credentials. They can then use this to log into the company's cloud infrastructure and gain access to sensitive data, which they steal or encrypt to execute a ransomware attack.
In addition to protecting against mobile phishing, organizations of all types and sizes should implement a cloud security platform that can detect anomalous behavior indicative of a cyberattack. These anomalies can range from an abnormal login location to a user accessing data they should not normally interact with.
