At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.
In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.
Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee's schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.
The threat actor carried out its attack with almost surgical precision. When the attacks on Cloudflare, at least 76 employees received a message in the first minute. The messages came from a variety of phone numbers belonging to T-Mobile. The domain used in the attack had been registered only 40 minutes prior, thwarting the domain protection Cloudflare uses to ferret out impostor sites.
(Score: 2) by janrinok on Friday August 12 2022, @06:14AM (2 children)
Reading this I am getting the feeling that somebody had inside information, or Twilio's and Cloudflare's security is far worse than I would have expected.
(Score: 0) by Anonymous Coward on Friday August 12 2022, @11:04AM
There is no security, om tat sat.
The concept of security is something humans made as is not a real thing (that exists or not-exists).
There are just levels of access and... right/might, that hidden knowledge gives.
Example:
I, a nobody with no name, had private cert used to sign biometric passports for unspecified european country once, 3 years before cert expired...
Found it in some webserver, hidden behind an empty index.html file, with a bunch of other useful stuff, someones filedump i guess.
Never used it, but still have that big game hunter feeling even now. A decent trophy, eheheh.
Also, as i see it, this hack not a sign of inside knowledge, (hacking with insider knowledge is lame, 'mmmmkay) its a sign that someone saw this as being useful/profitable and did it.
Or maybe they were bored. Not a big deal.
All these "internet giants" are vulnerable to all the wonderful things multicellular things are vulnerable to - bacteria *wink*, sepsis, metastasis, parasitism, glorious thalassanemia, you name it; there's an equivalent technique on the Net.
They are larger, so more of everything.
Motivation to disclose the holes one finds is negative, where will i get my intel and food then... if they fix the hole i use?!!
(Score: 2) by Freeman on Friday August 12 2022, @02:09PM
Cloudfare was not breached. A couple of employees were the weakest link and clicked something they shouldn't have. As always, your security is only as good as it's weakest link. In a lot of cases, that's the user. The year is 2022 and the best way to infiltrate a corporation is still through the employees. Yet, in this case, hardware-based MFA keys saved Cloudflare from Twilio's experience. It's also somewhat telling that Twilio didn't reveal how many of it's employees were dumb enough to click on the link(s). I'm guessing a lot more than 3.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Friday August 12 2022, @08:22AM (1 child)
Yeah... And? So what was the 1 Simple Trick That Might Fool You *click* *click* *cl8ck*
4 paragraphs deep in marketing I, genius, call this clickbait bullshit.
(Score: 4, Interesting) by janrinok on Friday August 12 2022, @08:39AM
Nowhere does it state that there is 1 simple trick that might fool you. Why did you expect there to be one?
The full article explains it reasonably well, I thought:
We would welcome any better stories for the front page.