Twilio staff deceived by fraudulent SMS scam
In a recent turn of events, Twilio, a leading communications platform, has fallen victim to a sophisticated phishing attack. The security team at Twilio swiftly revoked access to compromised employee accounts after discovering the breach.
The threat actors behind the attacks are believed to be well-organized, methodical, and sophisticated. They initiated a text message phishing campaign by matching targeted employee names with their phone numbers, tricking victims into updating passwords or changing their messaging schedule via spoofed URLs. The text messages in the campaign were reported to have originated from U.S. carrier networks, pretending to be from Twilio's IT department.
The attackers deceived some Twilio employees into sharing Okta credentials and two-factor authentication codes using spoofed URLs containing "Twilio," "Okta," and "SSO" for single sign-on. Despite a coordinated effort with network operators and hosting providers to stop the malicious messages and URLs, the threat actors resumed their attacks on other carriers and hosts.
Twilio uses modern and sophisticated threat detection and deterrence measures, but the attack is especially painful due to its advanced security measures. The company is notifying affected customers on an individual basis, and many popular apps, including Facebook and Uber, use Twilio for communicating alerts and updates to customers.
The identity of the threat actors behind the attacks remains unknown. It's important to note that organizations affected by similar attacks include LastPass, DoorDash, MailChimp, Plex, and over 130 others, as reported by KrebsOnSecurity. However, there is no specific public information confirming Twilio coordinating with network operators and hosting providers to stop malicious messages and links, though CrowdStrike indicated collaboration with NPM for removing malicious packages in their own incident.
Twilio described the attack as a "sophisticated social engineering attack" in a Sunday blog post, and it occurred on Aug. 4, with the threat actors gaining access to some of Twilio's internal systems containing customer data. The spoofed URLs directed employees to a landing page impersonating Twilio's sign-in page.
As the investigation continues, Twilio encourages everyone to remain vigilant and cautious when receiving unsolicited messages, especially those asking for sensitive information. The company is committed to transparency and will provide updates as more information becomes available.
