Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Phishers who breached Twilio and fooled Cloudflare could easily get you, too
Getty Images

reader comments
23 with 21 posters participating

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees’ family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company’s internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio’s disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

Well-organized, sophisticated, methodical

In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee’s schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.

Cloudflare

The threat actor carried out its attack with almost surgical precision. When the attacks on Cloudflare, at least 76 employees received a message in the first minute. The messages came from a variety of phone numbers belonging to T-Mobile. The domain used in the attack had been registered only 40 minutes prior, thwarting the domain protection Cloudflare uses to ferret out impostor sites.

Cloudflare

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.

Cloudflare went on to say it wasn’t disciplining the employees who fell for the scam and explained why.

“Having a paranoid but blame-free culture is critical for security,” the officials wrote. “The three employees who fell for the phishing scam were not reprimanded. We’re all human and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up.”