Stay Vigilant: How Cloud Interconnectivity Is Amplifying the Effects of PhishingDownload Case Study
Recently, cloud communications company Twilio announced that its internal systems were breached after attackers obtained employee credentials using an SMS phishing attack. Around the same time, Cloudflare, a content delivery network and DDoS mitigation company, reported that its employees were also targeted but their systems were not compromised.
It was later revealed by Signal, an encrypted messaging app provider and a customer of Twilio, that the attackers used the breach to obtain phone numbers of 1,900 of its users. Three of the users were identified and targeted with additional phishing attacks, including Lorenzo Franceschi-Bicchierai, senior reporter at VICE Motherboard.
According to Signal, with the exposed number and access to Twilio’s system to push multifactor authentication (MFA), the threat actor could have re-registered a victims account for the purpose of impersonation.
Group-IB found that these attacks are part of a larger campaign by a group known as “0ktapus,” which has compromised more than 130 organizations by targeting those who use Okta as a single sign-on provider.
Conducting our own analysis, researchers from the Lookout Threat Lab found that this threat actor has targeted employees across different industries such as telecommunications, cryptocurrency, customer service and social media. In the case of Twilio and Signal, the attackers seemed to be looking to pivot their attack to specific accounts, possibly to further social engineering efforts or otherwise compromise additional targets.
This breach demonstrates how interconnected services are in our cloud-driven world, where attackers are able to quickly jump from one target to the next.
Whenever a breach occurs, we always need to think about the lessons that can be learned. To help you assess your own security posture, here are my tips for keeping your organization safe from mobile phishing attacks.
Understand how phishing has evolved
Phishing has evolved significantly over the years. Sure, the classic business email compromise (BEC) attacks are still lucrative, but the introduction of mobile devices has opened countless ways for phishing attacks to be delivered. To secure your organization, you need to account for them in your overall security strategy.
To trick employees into handing over their credentials, threat actors are taking advantage of the fact that we trust our mobile devices a lot more. The typical employee is less inclined to exercise caution when they get an unsolicited text message than if that same content goes to their work email. Also, mobile devices, with their smaller screens and simplified user interface, hide a lot of the telltale signs of an attack.
Phishing kits are also frequently sold in the malware-as-a-service market, giving attackers more capabilities than ever before. These kits can be relatively cheap and give even inexperienced attackers the ability to target specific organizations with complex phishing campaigns.
Learn how to spot the red flags
The fact is that attackers are getting better at building slick, realistic phishing campaigns. This makes red flags harder to spot, especially on mobile devices. But even though the red flags are small, they are there if you know where to look.
In an attack like this one, which triggers a targeted employees' MFA solution, the location on the notification might be incorrect. If an employee is located in San Francisco and the notification was triggered from somewhere else, they should deny the access request and notify their security team immediately. Another sign would be abnormal communication. For example, one of the three Signal users specifically targeted in the Twilio breach reported receiving a text message verification code in the middle of the night.
Whenever employees receive messages to verify their credentials, they should approach the request with extreme caution. If they didn’t try to log in anywhere themselves, they should contact their internal IT and security teams immediately to verify whether the communication was valid. If it isn’t, those teams can make the rest of the company aware of inbound attacks that are similar in nature. Your employees should always take a few seconds to look over any messages for giveaways of malicious intent, such as a location discrepancy, misspelled words or suspicious URLs. Those seconds of critical thinking could save your organization from a data breach.
How organizations can stay vigilant
Since mobile phishing attacks can come through channels outside of your security team's control — like SMS, social media and third-party messaging platforms like WhatsApp — your organization needs to stay vigilant to protect yourself and your employees. The Signal breach demonstrates just how vulnerable organizations are to this kind of attack.
Mobile phishing is one of the most common ways that attackers steal login credentials. Then, they turn around and log in to the organization's cloud infrastructure to gain access to sensitive data that they can steal or encrypt to execute a ransomware attack. The way the Twilio breach spread to affect Signal users is a stark reminder that an attacker’s goal isn’t always the service it initially compromised
To stay secure, organizations of every type and size should implement a cloud security platform that can alert them to a potential cyberattack by automatically detecting anomalous behavior. It is critical that every organization has advanced security capabilities that can detect indicators of malicious activity beyond just the traditional network — especially as attackers move across different devices, networks and apps to execute their attacks.
Visit our phishing solution page to learn more about how you can protect your organization against mobile phishing attacks.
Updated Aug. 25, 2022: the blog was updated to include the news from Group-IB that ties the attack to "0ktapus."
Here’s a video demo of how an anti-phishing solution like Lookout would block attacks like SMS phishing: