On Aug 9th there were two major Phishing attacks on Twillo and Cloudflare. The structured attacks not only targeted the employees of these companies but their families as well.
They were sophisticated, organized and methodically executed in nature.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” said Twilio in a notice. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
Twilio is a communications giant with large companies such as: Airbnb, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk among its clients.
The company has not revealed the extent of the damage as the investigation continues but some accounts have been compromised.
A similar attack occurred around the same time to web infrastructure company Cloudflare.
These phishing attacks directed at Cloudflare came from 4 phone numbers associated with T-Mobile issued SIM cards.
The hackers phishing page was designed to send the credentials to them via unsuspecting users, so sophisticated was the attack that it even bypassed some dual authenticator’s that were put in place for security. As the Time-based One Time Password (TOTP) codes inputted on the fake landing page were transmitted in an analogous manner, enabling the adversary to sign-in with the stolen passwords and TOTPs.
Cloudfare revealed that 3 of its employees had fallen for the scam. However it was able to mitigate the attack using “hardkeys” built into the system to prevent attacks such as these.
What can you do?
This attack highlights that not only employees can be the focus, but family members too. The #1 place to start is providing security training and reminders to your teams. It is easy to get busy and forget, so a positive experience based around training and support needs to be fostered within the culture of our teams.
With Phishing attacks becoming a more prominent way of scamming users here are two other ways you can help mitigate these attacks:
- Be wary of suspicious emails that seem out of place. Check out our article on this topic.
- Implement multi-factor-authentication. Here’s our article on Multi-Factor-Authentication.
If you have any questions about this article or staying secure in the digital world. Please feel free to reach out to us.
