Smishing Attack Led to Major Twilio Breach

  • Communications API developer Twilio has revealed a data breach last week in which an undisclosed number of customer accounts were accessed by hackers.

    Current and former employees were targeted by SMS-based phishing (smishing) messages purporting to come from the firm’s IT department.

    They tricked some staffers into handing over their credentials, which were subsequently used to hijack internal accounts and access systems containing customer data, Twilio said.

    “Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including ‘Twilio,’ ‘Okta,’ and ‘SSO’ to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page,” it explained.

    “The text messages originated from US carrier networks. We worked with the US carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

    Twilio said other companies had been attacked in a similar way, and that despite it working with carriers, registrars and hosting providers, “the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.”

    That led the firm to brand its attackers “well-organized, sophisticated and methodical,” although it’s unclear what their motivations were with this raid.

    In the meantime, Twilio has adapted its social engineering awareness training program for staff, and is notifying affected customers as well as examining “additional technical precautions.”

    Jamie Moles, senior technical manager at ExtraHop, argued that organizations should focus more of their efforts on post-breach detection, given how easy it is to trick employees into clicking. This could include looking for tell-tale signs of compromise like command and control communications, data staging and lateral movement.

    “Smart defenders should have a defensive playbook around the midgame, where the attacker pivots through an organization’s infrastructure, taking actions that can alert the team to the intrusion before they’re able to access, exfiltrate or encrypt critical data,” he added.