Employees at Twilio fell for a text-based phishing rip-off final week, responding to messages pretending to be from the corporate’s IT department that compromised their credentials and led to the theft of buyer knowledge.
It’s the newest instance of workers members being tricked into making a gift of their consumer names and passwords, leading to knowledge theft.
Twilio, which makes a messaging platform utilized by advertising and marketing departments for its skill to combine with Facebook Messenger, WhatsApp, SMS, voice, e mail, and extra, mentioned a “restricted” variety of buyer accounts have been compromised.
Still, it’s a blow to an organization that counts large multinational firms as its prospects.
Szilveszter Szebeni, CISO and co-founder at Tresorit, a European encryption-based safety software program firm, mentioned that whereas steady phishing testing of employees is the minimal organizations ought to do for safety, corporations usually are not even secure utilizing two-factor authentication. With a focused assault, even accounts protected by 2FA can be hacked by stealing a session utilizing a faux web site. “The actual answer for the trade is to go password-less,” he mentioned, “Unfortunately the trade doesn’t help it in each use case.”
Related content material: Successful phishing assaults up in 2021
In a statement, Twilio mentioned on August 4th it grew to become conscious of unauthorized entry to its data. Current and former employees reported receiving textual content messages purporting to be from Twilio’s IT department. Typical messages steered that the worker’s passwords had expired, or that their schedule had modified, and that they wanted to log in to a provided URL. The URLs used phrases together with “Twilio,” “Okta,” and “SSO” to try to trick customers to click on on a hyperlink taking them to a touchdown web page that impersonated Twilio’s sign-in web page. The textual content messages originated from U.S. service networks. Those URLs have been managed by the attacker.
(An instance of a phishing textual content despatched to a Twilio worker)
“The risk actors appeared to have refined talents to match worker names from sources with their cellphone quantity,” Twilio added.
Victims who clicked on the hyperlink and entered their credentials had the username and password stolen. The attackers then used the stolen credentials to achieve entry to a few of Twilio’s inside programs.
“We have heard from different corporations that they, too, have been topic to related assaults, and have co-ordinated our response to the risk actors,” Twilio mentioned, “together with collaborating with carriers to cease the malicious messages, in addition to their registrars and internet hosting suppliers to shut down the malicious URLs. Despite this response, the risk actors have continued to rotate by way of carriers and internet hosting suppliers to resume their assaults.”
Twilio has revoked entry to the compromised worker accounts. it has additionally “re-emphasized our safety coaching to guarantee employees are on excessive alert for social engineering assaults, and have issued safety advisories on the precise ways being utilized by malicious actors since they first began to seem a number of weeks in the past. We have additionally instituted further necessary consciousness coaching on social engineering assaults in latest weeks. Separately, we’re inspecting further technical precautions because the investigation progresses.”