Twilio account breach result of sophisticated social engineering campaign
Cloud communications platform Twilio has admitted that hackers gained access to some customer data last week after a social engineering attack handed internal login credentials to threat actors.
Twilio employees were subjected to phishing texts requesting that they change their company passwords, each including a link with the keywords ‘Twilio’, ‘Okta’ and ‘SSO’ to make the URLs look more legitimate.
If an employee clicked the link, they were asked for their current credentials, which the threat actors harvested and used to access internal systems.
In an incident report, Twilio stated that the attacks were halted after the company “worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.”
The phishing element of the breach was enhanced by social engineering on the part of the threat actors, who made the texts appear as if they were sent by the Twilio IT department. Texts also addressed employees by name in some examples.
The company also stated that it has heard first hand that other companies were subjected to similar attacks, and that despite coordination with carrier networks the threat actors continue to operate. Investigations are ongoing.
The fact that former employees, as well as current employees, received the texts along with the threat actors’ reported ability to link phone numbers to individual names of employees, suggests a well-equipped operation backed by an understanding of the firm.
Twilio has been in touch with those customers whose data was potentially compromised and has no reason at this stage to suspect malicious activity outside of the accounts it has identified.
“We have reemphasised our security training to ensure employees are on high alert for social engineering attacks and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago.
“We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”
Social engineering attacks are difficult to mitigate because defence is only as strong as an individual’s ability to recognise something is wrong. There is little that security systems can do to protect a company’s infrastructure if users are willing to give up their passwords over the phone, and clicking links sent from an unrecognised number carries a similar risk.
It is always best to double-check the origin of communications claiming to be from officials and to question requests to change your password. Two-factor authentication (2FA) can also be a good barrier between employees and unwanted login attempts.
Ⓒ Future Publishing
Subscribers 0
Fans 0
Followers 0
Followers