Communication products’ company, Twilio, recently found that it was subjected to a sophisticated social engineering attack to steal employee credentials. The attackers were able to gain unauthorized access to information related to a limited number of Twilio customer accounts by means of smishing.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” said Twilio in its blog post.
The smishing attack on Twilio
Present and former employees of Twilio received text messages purporting to be from its IT department. The messages suggested that the employee’s passwords had expired, or their schedule had changed. They were required to log into a URL controlled by the attacker. The URLs used words like “Twilio,” “Okta,” and “SSO” to trick users to click on a link that would take them to a landing page that impersonated Twilio’s sign-in page.
Image source: Twilio
Twilio found that the text messages originated from U.S. carrier networks and has worked with the U.S. carriers to shut down the actors. It also worked with the hosting providers serving the malicious URLs for shutting down those accounts. The threat actors had sophisticated abilities to match employee names from sources with their phone numbers. Twilio, which closed its second quarter delivering $943 million in revenue and 41% year-over-year growth, is yet to identify the specific threat actors.
Following the attack, Twilio has re-emphasized on its security training to keep its employees on high alert for social engineering attacks. Furthermore, it has instituted additional mandatory awareness training on social engineering attacks.
What is smishing and what to do about it?
SMS phishing, generally known as smishing, is a type of cyber threat whose effectiveness has a lot to do with its simplicity and can exploit the weakest link in any cybersecurity chain.
How smishing works
The victim receives a text message with a link from a number that seems to match the legitimate number used by the company. The victim is encouraged to click this link which is controlled by the attacker.
Upon clicking the link, the victim is taken to a real-looking login page of the company. When the victim enters his login credentials, the credentials are sent directly to the attacker.
Attackers can launch smishing attacks like this to target hundreds and thousands of victims at the same time. Apart from large-scale smishing attacks, attackers can unleash targeted smishing attacks on high-profile victims after weeks and even months of investigation. Attacks of this type are often supported by voice phishing, or vishing, in which attackers directly manipulate the victim by talking to them directly over the phone.
What can be done about smishing?
Unlike malware, smishing and other social engineering attacks can be effective only when victims fail to identify them.
To counter these attacks, organizations must start by stepping up employee cybersecurity training.
- Train employees to never take any text message that contains a link to a website or requests sharing any kind of personal information at face value.
- Under doubtful circumstances, contact the organization from which the text message seems to have come by using the contact information on its official website.
- By requiring at least one additional verification factor to be presented, multi-factor authentication (MFA) can prevent cyber criminals from successfully obtaining login information from an unsuspecting victim.
- Employees must immediately report all smishing attempts to the IT department.
Read next: Latest cybersecurity trends indicate evolution than revolution, reports Trellix