Twilio, a San Francisco-based digital communications company, has confirmed that hackers tricked members of its staff into sharing their login credentials. The attackers sent SMS messages to employees saying a change had been made to their work schedules and asking them to reset their passwords. The official-looking text messages included references to “Twilio,” “SSO (single sign-on),” and Okta, the name of Twilio’s user authentication service. The link included in the SMS messages mimicked a Twilio sign-on page where attackers collected the information input by employees.
While the Twilio customer support team has reached out to impacted organizations, Fortalice is advising our clients to reach out directly to the company to verify if your organization’s information has been compromised.
In the days following the disclosure by Twilio, Cloudflare revealed the content delivery network company had been targeted in a similar manner. In Cloudfare’s case, however, the company’s use of hardware-based multi-factor authentication (MFA) keys prevented attackers from accessing its internal network.
The Twilio and Cloudfare incidents are examples of smishing attacks, which are social engineering attacks performed via SMS or text messages. The text messages will contain links to webpages, email addresses, phone numbers, or other links designed to lure potential victims into clicking on the link. The Twilio breach included SMS messages with employee scheduling information to increase the likelihood the employee would click the link.
The strategies below, provided by the Cybersecurity and Infrastructure Security Agency (CISA), outline strategies to protect yourself and your organization from smishing attacks:
We value you as customers, and we understand incidents like these can be very unsettling. We are here to help. Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions or assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.