![]() ![]() Phishing has been an inveterate and consequential threat for years, playing a role in many impactful breaches around the world, including Russia's attack on the Democratic National Committee in 2016. “Trust is paramount at Twilio, and we recognize that the security of our systems and network is an important part of earning and keeping our customers' trust.” “We are very disappointed and frustrated about this incident,” Twilio wrote in an update on August 10. The findings underscore the seemingly thoughtful and targeted nature of the campaign to maximize impact by focusing on internet infrastructure and business management services that provide crucial support, including components of login authentication, for large clients. And the researchers found that the majority of targets are cloud services, software development companies, or IT management firms. Of those, 114 victim companies are based in the United States. ![]() Researchers from the cybersecurity firm Group-IB said in a report on Thursday that it had identified and notified 136 organizations that seemed to be victims of the phishing campaign. Attackers also targeted the internet infrastructure company Cloudflare in their campaign, but the company said at the beginning of August that it wasn't compromised because of its limits on employee access and use of physical authentication keys for logins. Twilio says that the malicious URLs contained words like "Twilio," "Okta," or "SSO" to make the URL and the malicious landing page it linked to seem more legitimate. The texts often claimed to come from a company's IT department or logistics team and urged recipients to click a link and update their password or log in to review a scheduling change. Pwn the multi-factor authentication, pwn the world.”Īttackers compromised Twilio as part of a massive yet tailored phishing campaign against more than 130 organizations in which attackers sent phishing SMS text messages to employees at the target companies. “It was a patient hack that was super-targeted yet broad. “I think this will go down as one of the more sophisticated long-form hacks in history,” said one security engineer who asked not to be named because their employer has contracts with Twilio. The Twilio hacking campaign, conducted by an actor that has been called “0ktapus” and “Scatter Swine,” is significant because it illustrates that phishing attacks can not only provide attackers valuable access to a target network, but even kick off supply chain attacks, in which access to one company’s systems provides a window into those of their clients. Even a company like Authy, whose core product is an authentication code-generating app, uses some of Twilio's services. Though it's long been known that SMS is an insecure way to receive these codes, it's definitely better than nothing, and organizations haven't been able to move away from the practice completely. This could mean a system a barber uses to remind customers about haircuts and have them text back “Confirm” or “Cancel.” But it can also be the platform through which organizations manage their two-factor authentication text messaging systems for sending one-time authentication codes. Twilio provides application programming interfaces through which companies can automate call and texting services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |