Incident Review: Twilio Smishing Attack
This past August it was reported that Twilio, an industry leader for the development of applications in the cloud, suffered a incident. This had an impact in the industry, as the company provides several popular services, such as automated text messages and calls for 2-step verification. Some of the most important companies using Twilio are Reddit, Airbnb, Uber, and Facebook among many others. Twilio is hugely popular among software developers, with more than 190,000 businesses using it, enabling 932 billion interactions annually.
On August 4, 2022, a social engineering attack was carried out against several Twilio employees. The purpose of this phishing SMS attack was to trick the company's employees, making them hand over their credentials. The credentials were then used to gain access to the private information of the company's customers.
The attack consisted of text messages being sent to Twilio employees, pretending to be the company's IT department, and asking the employees to log in to their company’s accounts, via a malicious link. The link led employees to a page impersonating to be from the company, where they were asked to enter their credentials, to make a password change or schedule change. After employees submitted their credentials, attackers stole them to obtain sensitive data from Twilio customers. The campaign was through links that included keywords such as “Twilio", "Okta” and "SSO", therefore, it was easy to fool employees.
Initially, there were only 163 Twilio customers identified who had their data accessed, plus 93 Authy users (Twilio purchased Authy in 2015, and Twilio's platform allows the use of various elements of Authy). It was eventually reported that the attackers managed to access data from 209 Twilio customers. One of the affected Twilio customers is speculated to be the Signal application since their employees were notified of the theft of information and 1900 users of the possible disclosure of their phone numbers. Also, the food delivery app DoorDash stated that a small percentage of its customer’s information was accessed. This information included names, mail, delivery address, telephone number, and partial payment information. Twilio reports that there is no evidence that hackers accessed the console of Twilio customer credentials, authentication tokens, or API keys and that no further suspicious activity has been recorded since August 10.
The attack on Twilio is part of a larger campaign carried out by a hacker named 0ktapus. This hacker attacked more than 130 organizations, mostly dedicated to IT, software development, and cloud services, including MailChimp and Cloudflare. The hacker’s modus operandi consisted as in the case of Twilio, of first identifying the telephone number of employees, to later attack them by "smishing" through texts or phone calls, leading employees to enter the link of the false pages to obtain their credentials, and finally use the credentials to get data from customers. Experts point out that low-level skill methods were used and yet many accounts were compromised, so it is assumed that the attack was carefully planned.
This was the second time Twilio received an attack from the same actor, the first was on June 29, 2022. The June attack unlike the August attack was through a "vishing" phone call, in which an employee handed over credentials that the hacker used to access data from a limited number of customers. The attacker's access was removed in just 12 hours. As with the recent campaign, customers were notified, in this case on July 2.
As a measure of the recent attack, Twilio conducted an investigation of the incident with a major forensic firm and removed access to compromised accounts from employees. Employees were notified of these attackers' tactics and asked to take social engineering attack security training. All affected customers were notified of the situation and unauthorized devices were removed. It was requested to remove all fake domains impersonating Twilio. Employee login and control in the company's VPN were fortified. The administrator’s rights to various tools were also fortified.
Day by day the number of attacks in phishing campaigns only increases, therefore it is important as a company to provide good training to employees, strengthen security measures for access to any sensitive information and regularly carry out audits. Data theft impacts the company's reputation and the trust of its customers.
References
- Wallis, J. (2022, May 9). What is twilio? A comprehensive guide to understanding twilio in 2022. WEBO Digital. Retrieved December 7, 2022, from https://webo.digital/blog/what-is-twilio-a-complete-guide-to-twillio/
- List of companies using Twilio, market share & customers list. InfoClutch. (2022, June 27). Retrieved December 7, 2022, from https://www.infoclutch.com/installed-base/unified-communications/twilio/#:~:text=Some%20of%20the%20top%20companies,Reddit%2C%20Airbnb%2C%20and%20Uber.
- Newman, L. H. (2022, August 26). Why the twilio breach cuts so deep. Wired. Retrieved December 7, 2022, from https://www.wired.com/story/twilio-breach-phishing-supply-chain-attacks/
- Paganini, P. (2022, October 30). Twilio discloses another security incident that took place in June. Security Affairs. Retrieved December 7, 2022, from https://securityaffairs.co/wordpress/137782/data-breach/twilio-new-data-breach.html
- Security. (2022, October 27). Incident report: Employee and customer account compromise - August 4, 2022. Twilio Blog. Retrieved December 7, 2022, from https://www.twilio.com/blog/august-2022-social-engineering-attack
- Jena, B. K. (2022). Phishing attack diagram. What is Phishing Attack? Definition, Types and How to Prevent it. Retrieved December 7, 2022, from https://www.simplilearn.com/tutorials/cryptography-tutorial/what-is-phishing-attack.
- Ilevičius, P. (2019). Smishing explained. Retrieved December 7, 2022, from nordvpn.com.
- Castillo, C. (2019). Phishing, vishing and smishing. Phishing, vishing and smishing: what are they and how can you protect yourself? Retrieved December 7, 2022, from https://www.bbva.com/en/phishing-vishing-and-smishing-what-are-they-and-how-can-you-protect-yourself/.