Employees at Twilio fell for a text-based phishing scam last week, responding to messages pretending to be from the company’s IT department that compromised their credentials and led to the theft of customer data.
It’s the latest example of staff members being tricked into giving away their user names and passwords, resulting in data theft.
Twilio, which makes a messaging platform used by marketing departments for its ability to integrate with Facebook Messenger, WhatsApp, SMS, voice, email, and more, said a “limited” number of customer accounts were compromised.
Still, it’s a blow to a company that counts huge multinational corporations as its customers.
Szilveszter Szebeni, CISO and co-founder at Tresorit, a European encryption-based security software company, said that while continuous phishing testing of employees is the minimum organizations should do for protection, companies are not even safe using two-factor authentication. With a targeted attack, even accounts protected by 2FA can be hacked by stealing a session using a fake website. “The real solution for the industry is to go password-less,” he said, “Unfortunately the industry does not support it in every use case.”
In a statement, Twilio said on August 4th it became aware of unauthorized access to its information. Current and former employees reported receiving text messages purporting to be from Twilio’s IT department. Typical messages suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a supplied URL. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. Those URLs were controlled by the attacker.
(An example of a phishing text sent to a Twilio employee)
“The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone number,” Twilio added.
Victims who clicked on the link and entered their credentials had the username and password stolen. The attackers then used the stolen credentials to gain access to some of Twilio’s internal systems.
“We have heard from other companies that they, too, were subject to similar attacks, and have co-ordinated our response to the threat actors,” Twilio said, “including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs. Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.”
Twilio has revoked access to the compromised employee accounts. it has also “re-emphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”