An unknown attacker compromised some credentials belonging to employees of customer-engagement company Twilio through an SMS phishing campaign, and was then able to gain access to some customer data through Twilio’s internal systems, the company said Monday.
Twilio discovered the compromise on Aug. 4 and began investigating and later discovered that some of its employees and former employees had received text messages purporting to be from the company’s IT team informing them that their credentials had expired or their schedules had changed. The messages contained a short link and Twilio officials said the attackers used several different wireless carriers in the United States and used a rotating menu of URLs in the messages.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” Twilio officials said in a blog post Monday.
Twilio did not specify how many customers’ accounts were compromised or what kind of data the attackers were able to access, but said they are in the process of notifying all of the affected customers.
The tactics that the attackers used in this campaign are well-known and used by cybercrime groups in broad campaigns as well as in more targeted attacks. Text-based phishing attacks have become more popular among attackers for several reasons, including the fact that there is typically less information in a text phishing message for a user to evaluate and determine whether the message is authentic or malicious. Phishing emails are easier to examine and there’s more context and clues. The texts sent to Twilio’s current and former employees were just one short sentence and then a short URL to click.
An effective protection against phishing attacks like this one is deploying hardware security keys as a second factor of authentication. Hardware security keys are phishing-resistant and quite difficult for attackers to bypass.
“More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including ‘Twilio,’ ‘Okta,’ and ‘SSO’ to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page,” the Twilio post says.
“The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”
Twilio officials said they worked with other companies that have been targeted with similar text phishing campaigns to work with wireless carriers and hosting providers to disable the infrastructure the attackers were using. The attackers changed the mobile numbers and URLs frequently, though.
“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions. We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts,” the company said.