This article was prompted by recent news stories featuring data compromise via employee accounts. It highlights the importance of telco security as recent attacks appear to have used telco data as a key element in attacking further systems.
Twilio
Commsrisk recently reported an SMS phishing (smishing) attack on Twilio. Twilio is a US based company which provides programmable communication tools for making and receiving phone calls, sending and receiving text messages. Ironically, it also owns the two-factor authentication (2FA) service Authy. Recently, current and former employees received text messages purporting to be from Twilio’s IT department stating that passwords had expired, or that their schedule had changed, and they needed to log in to a URL which included the words “Twilio,” “Okta,” and “SSO”. The objective was to trick users into clicking on a link taking them to a landing page that impersonated Twilio’s sign-in page. The smishing attack succeeded in fooling some employees into providing their credentials, which the attackers used to gain access to some internal systems and access some customer data.
Cloudflare
Contrast the Twilio experience with Cloudflare, a web performance and security company, which provided a detailed account of both the attack upon its business and its countermeasures and response. Cloudflare states that during the attack, in less than a minute, 76 employees received text messages on their personal and work phones. Some messages were also sent to the family members of employees.
Cloudflare established that when the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the Telegram messaging service. This relay was important because it meant the attacker received the user credentials in real-time and could enter them in the genuine login page. The genuine login site then generated a time-based one-time password (TOTP) code which was sent to the employee victim via SMS or displayed on a password generator. The employee victim then entered the TOTP code on the phishing site, and the attacker received in in real time and could then use it on the genuine login page.
Once a victim got this far, the phishing page also initiated the download of a phishing payload which included AnyDesk’s remote access software, which would allow an attacker to control the victim’s machine remotely.
So far, so depressing. Three Cloudflare employees fell for the phishing message and entered their credentials. However, every Cloudflare employee is issued a FIDO2-compliant security key which utilises origin binding. The keys are tied to the users and user login is bound to the origin, meaning that only the real site can authenticate with the key and authentication will fail on the fake site.
A detailed account from Cloudflare is available here.
The Telco Connection
Group-IB, a cybersecurity specialist, analysed the attackers’ phishing infrastructure, including phishing domains, the phishing kit and the Telegram channel controlled by the threat actors. It identified that the phishing attacks on Twilio and Cloudflare were part of a campaign that resulted in the compromise of 9,931 accounts in over 130 organizations, the vast majority being in the United States.
According to the compromised data analysed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks. Group-IB’s summary report on ‘the Oktapus campaign’ is available here.
Analysis
The first step of the attack is to identify the target companies and obtain employee mobile numbers. It was interesting that Twilio reported smishing messages sent to current and former employees and Cloudflare noted that some messages had been sent to employees’ family members. If the mobile numbers of victims were obtained via a telco employee, I would expect the data to be current and clean, so the evidence suggests it wasn’t unauthorised disclosure but unauthorised access – did they get into the telcos the same way they got into the victims? Messages sent to former employees and family members suggest the attackers were unable to fully validate the data or it wasn’t worth the effort – after all, smishing is already a scattergun approach.
Cloudflare reports that it runs a 24×7 Security Incident Response Team (SIRT) and that every employee is trained to report anything suspicious. Whilst Cloudflare disclosed that 3 employees were duped by the fake SMS, it didn’t tell us how many phishing messages were reported to SIRT – that would have been an interesting performance measure. And it’s great that Twilio took appropriate remedial action, but it must also question its preventive controls, for example, when did it last highlight the risks of email compromise and social engineering before the attacks?
This smishing campaign was an extensive and effective data harvesting exercise. Despite the involvement of law enforcement and the cooperation from carriers, the attackers were able to:
- subject multiple companies to simultaneous attacks, and
- continue their activity using substitute URLs as their active URLs were identified and shut down.
In the absence of any other explanation, I always assume the motive is financial and believe that was ultimately the case here, although it is not yet obvious who the ultimate victims will be and the price they will pay. Is it possible the companies were compromised so criminals could identify key customers and account controllers who will be targeted for fraud?
These incidents demonstrated the importance of secure access protocols for staff. Which company’s security manager would you rather be right now: Twilio or Cloudflare?
Prevention and Detection
Telco data is a springboard for phishing attacks. Does that information change your view of risk and what, if anything, are you going to do about it?
Here are some ideas which could help you assess the level of risk in your own business:
- Do your contracts require business partners to notify you of data breaches?
- Do you monitor the registration of domain names similar to yours?
- When did your business last highlight the risks of business email compromise and social engineering attacks?
- Have you ever tested employee response by sending fake account update messages?
- Do you have an effective process for staff to report suspected scams?
- Have you implemented secure multi-factor authentication? (One-time SMS passwords are cheap, but not secure, as shown by banks.)
- Review the process for creating and changing a supplier’s bank account and check any that have been changed recently to confirm whether the process was followed.
And Finally, a Word from the FBI
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressing you to act quickly.
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressing you to act quickly.
Let’s be careful out there…
