September 27, 2022

Volume XII, Number 270


September 26, 2022

Subscribe to Latest Legal News and Analysis

Twilio Hit with Social Engineering Smishing Scheme

We’ve explained smishing schemes before [view related posts]. Smishing is like phishing, but uses SMS texting to deliver malicious code to users’ phones, or tricks the user into visiting a malicious website to steal their credentials or money. Hence, the important tip is to be very wary of texts from unknown individuals urging you to click on links embedded within the text.

Smishing schemes can be sophisticated, which is how Twilio describes the successful smishing attack against it that was discovered on August 4, 2022. According to Wikipedia, Twilio “provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.” It is ironic that Twilio, a communications platform, was hit with a smishing attack.

According to Twilio,

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data….

“More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

The data of 125 customers was affected by the attack and Twilio is working directly with those customers.

Just after Twilio announced it had been affected by the smishing incident, Cloudfare publicly announced on August 9, 2022, that it, too. had been targeted by a similar attack. According to its website, Cloudfare “started as a simple application to find the source of email spam. From there it grew into a service that protects websites from all manner of attacks, while simultaneously optimizing performance.”

Cloudfare said it had been targeted by a similar smishing scheme and used the experience to educate others about the incident in its blog post: “The mechanics of a sophisticated phishing scam and how we stopped it.” Cloudfare acknowledged that “around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudfare’s employees” and, while some of its employees fell for the messages, it used its own products to stop the attack. Albeit a bit self-serving, the point is that internet service providers (ISPs) and other communication providers were being targeted simultaneously with smishing attacks, which is obviously concerning.

Cloudfare states “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.” Very helpful Cloudfare, and thank you for sharing details so other organizations can be aware of how the scheme works and put measures in place to prevent a similar attack. This is the value of information sharing. The breakdown of the attack by Cloudfare is excellent, and readers may wish to review it and use it as a tool for educating their users on smishing attacks and why they are often so successful.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 223

About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...