Experts Blog

Twilio, a San Francisco-based digital communications company, has confirmed that hackers tricked members of its staff into sharing their login credentials. The attackers sent SMS messages to employees saying a change had been made to their work schedules and asking them to reset their passwords. The official-looking text messages included references to “Twilio,” “SSO (single sign-on),” and Okta, the name of Twilio’s user authentication service. The link included in the SMS messages mimicked a Twilio sign-on page where attackers collected the information input by employees.

While the Twilio customer support team has reached out to impacted organizations, Fortalice is advising our clients to reach out directly to the company to verify if your organization’s information has been compromised.

In the days following the disclosure by Twilio, Cloudflare revealed the content delivery network company had been targeted in a similar manner. In Cloudfare’s case, however, the company’s use of hardware-based multi-factor authentication (MFA) keys prevented attackers from accessing its internal network. 

The Twilio and Cloudfare incidents are examples of smishing attacks, which are social engineering attacks performed via SMS or text messages. The text messages will contain links to webpages, email addresses, phone numbers, or other links designed to lure potential victims into clicking on the link. The Twilio breach included SMS messages with employee scheduling information to increase the likelihood the employee would click the link. 

‍
How to Protect Yourself Now

The strategies below, provided by the Cybersecurity and Infrastructure Security Agency (CISA), outline strategies to protect yourself and your organization from smishing attacks:

• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. 
• Be aware of messages creating a sense of urgency or invoke fear to click a link 
• If you are unsure whether a message (e.g., email, SMS) request is legitimate, try to verify it by contacting the sender directly. Do not use contact information provided in the message received; instead, contact the sender using a previously provided communication method. 
• Keep devices up to date with security patches and install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
• Take advantage of any anti-phishing features offered by your email client and web browser.
• Enforce MFA using an authentication app or hardware token instead of SMS/text. 

How Fortalice Can Help

• ‍Review your incident response plans (IRPs). Fortalice can review existing policies and procedures to identify gaps or assist clients in developing industry best practice cybersecurity documentation. ‍
• Identify weaknesses in your security environment. Through the perspective of an attacker, our Offensive Cyber Operations team will mimic sophisticated cyber threats to test systems and produce action steps so your organization can stay ahead of the bad guys. ‍
• Take proactive action to protect against threats and attacks. Our industry-certified engineers can assist your organization in implementing and optimizing defensive security tools to protect assets from adversaries.

We value you as customers, and we understand incidents like these can be very unsettling. We are here to help. Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions or assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.

Additional Resources

• ARS Technica: Phishers who breached Twilio and fooled Cloudflare could easily get you, too
• CISA:Avoiding Social Engineering and Phishing Attacks
  

‍