Smishers Fool Twilio Staff, Hack Corporate Systems and Breach Customer Data

Commsrisk might need to increase its output to keep pace with all the times criminals use social engineering to trick telco staff into giving away access to corporate systems. Last week the big story was the conviction of a hacker that sent phishing emails to T‑Mobile staff who gave him account credentials for systems he used to unlock handsets. A few months ago a hacker claimed he stole a Verizon employee database by pretending to work for their IT function and remotely connecting to an employee’s PC. Now Twilio, a US provider of programmable comms services with annual revenues of USD2.8bn, has admitted its staff were duped by SMS messages designed to look like login expiration warnings.

SMS phishing, otherwise known as smishing, is the practice of sending an SMS message designed to lure the victim into sharing passwords or other personal data. The Twilio attack involved messages with hyperlinks to a webpage that looked like a logon page for Twilio systems; an example is shown above. Twilio’s admission refers to ‘some employees’ falling for the smishing messages by entering their credentials into the hackers’ webpage. An update published on August 10 stated that the hackers accessed data for approximately 125 Twilio customers, who have been notified of the confidentiality breach. Twilio said there was no evidence that the hackers obtained any of the customers’ passwords, authentication tokens or API keys.

The social engineering methods used were described as ‘sophisticated’ by Twilio. However, they also sound much like many other phishing and smishing attacks. It is understandable that corporate victims of hackers will want to exaggerate the skill of hackers. However, the frequency with which hackers use common social engineering ploys means there is less excuse for being caught off guard. Telcos have spent the last two years warning ordinary people not to trust SMS messages with hyperlinks to web pages so their own staff should be at least as wary of smishing.

Twilio drew particular attention to one aspect of the attack that is worth highlighting.

Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.

This is important because the aforementioned hack of the Verizon employee database led that telco to state:

We do not believe the fraudster has any sensitive information…

Either the ability to search the work phone numbers of many telco employees is sophisticated or else a database of employee phone numbers is not sensitive information. So either Twilio is exaggerating the sophistication of the attack they suffered or Verizon is understating the seriousness of their data breach. If forced to choose, I side with Twilio because Verizon are trying to manipulate the public perception of a breach that means employees are significantly more likely to receive social engineering attacks.

The phone numbers of employees may not seem sensitive, especially as we work in an industry where we are all expected to provide contact details just to register for vital online sources of news and information. This collective behavior is increasingly foolish in a world where more employees will work remotely from one another, and so are less likely to be able to identify colleagues who call them or send them messages, sometimes to demand the handing over of sensitive information or compliance with urgent deadlines.

Twilio have said they will learn from their failings and are giving their staff mandatory awareness training on social engineering attacks. But the first lesson is that everybody claims to take security seriously after they have been hacked, whilst truly excellent security begins with identifying, admitting to, and addressing weaknesses before hackers can exploit them.

You can read Twilio’s account of how they responded to the hacking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.