Phishers Who Breached Twilio and Fooled Cloudflare Could Easily Get You, Too

by
hubie
from on (#62DYK)

Freeman writes:

https://arstechnica.com/information-technology/2022/08/phishers-breach-twilio-and-target-cloudflare-using-workers-home-numbers/

At least two security-sensitive companies-Twilio and Cloudflare-were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee's schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.

The threat actor carried out its attack with almost surgical precision. When the attacks on Cloudflare, at least 76 employees received a message in the first minute. The messages came from a variety of phone numbers belonging to T-Mobile. The domain used in the attack had been registered only 40 minutes prior, thwarting the domain protection Cloudflare uses to ferret out impostor sites.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title
Feed Link https://soylentnews.org/
Reply 0 comments