Twilio Phishing Attack Impacts More than 160 Customers

A phishing attack has impacted more than 160 Twilio customers, the company discovered early this month. The hackers also hit Cloudflare, but didn’t succeed.

Twilio became aware of unauthorized access to information related to a limited number of customer accounts. The malicious hackers gained access through a sophisticated social engineering attack. They accessed customer data by tricking employees into handing over their corporate login credentials via phishing attacks.

Twilio has updated its blog detailing the phishing attacks.

Twilio identified 163 customers whose data was accessed without authorization for a limited time, it said. Its total customer base is over 270,000. Twilio has notified all of the impacted customers.

In addition, hackers gained access to the accounts of 93 individual Authy users. Authy is Twilio’s free two-factor authentication (2FA) app. The hackers registered additional devices to those accounts.

“We have since identified and removed unauthorized devices from these Authy accounts,” Twilio said.

Twilio contacted the 93 Authy users and provided them with additional guidance to protect their accounts.

Signal Customers Impacted by Twilio Phishing Attack

Signal, a secure communications provider, is one of the Twilio customers impacted by the phishing campaign. The phishing campaign impacted about 1,900 Signal customers. Twilio provides Signal with phone number verification services.

An attacker gained access to Twilio’s customer support console via phishing, Signal wrote in a blog.

“During the window when an attacker had access to Twilio’s customer support systems, it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” it said. “The attacker no longer has this access, and the attack has been shut down by Twilio.”

The same hackers targeted Cloudflare in July. The bad actors disguised text messages to employees as official-looking communications, it said. That included “cloudflare” and “okta” in the hacker-controlled domain. Hackers designed the fake login page to steal credentials and even perform time-based one-time passwords (TOTP) to try to unlock internal company access.

While a few employees did enter their credentials, Cloudflare’s network was not compromised, the company said.

“Cloudflare was able to move from initial attack identification through full mitigation quickly and effectively,” it said.

Oktapus Phishing Campaign

The Twilio and Cloudflare attacks were part of the Oktapus phishing campaign, according to Group-IB. It said the campaign has been active since March. The attackers targeted employees of companies that are customers of identity and access management (IAM) provider Okta. Okta issued a blog providing more clarity on the Twilio incident.

In all, the Oktapus phishing campaign has compromised over 130 organizations.

Patrick Harr is CEO of SlashNext.

SlashNext’s Patrick Harr

“The Twilio and Cloudflare breaches demonstrate the rise in SMS phishing attacks to successfully harvest credentials at the start of the attack chain to perpetrate a breach,” he said.

These attacks are hard to identify, Harr said. Moreover, organizations can’t rely on employee training to stop SMS and other communication channel attacks.

“We are hearing from security professionals an increased concern over smishing and mobile attacks before these high-profile breaches,” he said.

Organization should implement proactive artificial intelligence (AI) and behavioral learning security controls to stop these types of attacks before employees are compromised, Harr said.

Unexpected Surge in Phishing Sites

Monnia Deng is director of product marketing at Bolster, a provider of automated digital risk protection.

Bolster’s Monnia Deng

“Phishing sites have seen an unexpected surge in 2022,” she said. “And Twilio is just one of the major breaches stemming from look-alike domains that have happened this year. Research has shown that this problem has skyrocketed ten-fold in 2022 because this method is easy to deploy, effective and a perfect storm in a post-pandemic digital era of work.”

Because the Twilio phishing attack happened in 40 minutes, from when the domains were registered to when users got the SMS message on their phones, any in-house teams that perform monitoring and takedown of malicious sites wouldn’t have been fast enough to respond, Deng said.

“Moreover, they neither have the relationships nor the access to perform takedowns, such as asking an internet service provider to remove a fake website,” she said. “The only way to respond to this kind of attack is to have a preconfigured automation of takedown of malicious sites provided by a real-time digital risk vendor that specializes in detection and takedown of phishing sites.

Spoofing the OTP Page

The attackers also spoofed the one-time password (OTP) page to steal both the login and the 2FA, Deng said.

“Organizations should move past OTP as their MFA method and opt for something more secure, such as a push notification,” she said. “The reason why most organizations have not implemented push MFA as their method of choice is because it is difficult to enforce every user to download an application on their device. Therefore, a good method is to also submit 2FA pages, whether rebranded in the corporate style or through the actual 2FA vendor itself, as assets for a real-time digital risk vendor to scan the internet for any signs of spoofing. These assets – both the corporate domains as well as any affiliate domains such as 2FA vendors – should be tracked together.”

Organizations need a platform where customers can get immediate visibility of phishing websites across the web and automate real-time remediation for takedowns without any manual intervention, Deng said.