Twilio has suffered a data breach and the attackers “used the stolen credentials to gain access to some of our internal systems”.
Twilio is a messaging platform with a nice API. I used it last year to setup an Eliza-like SMS auto-responder to amuse my daughter while traveling. With simple code, you can setup automated or responsive SMS (and other messaging platform) texting.
Obviously, if this platform was subverted, the spamming potential for attackers is obvious.
I’m reminded of a few LowEndTalk war stories over the years from people who rent Mac (macOS) cheap VPS systems. The main problem? People sign up and start blasting out iMessage spam.
The attack was a “sophisticated” social engineering hack where employees received messages allegedly originating from Twilio IT when then allowed stealing employee credentials.
More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.
I’m guessing these “sophisticated abilities” were achieved by LinkedIn and Google.
Sounds like someone worked up a comprehensive attack on Twilio and it worked. The writeup has info and screenshots.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- LowEndBoxTV: AMD Shootout: Ryzen vs. Epyc – Which is Right For You? - November 24, 2024
- Early Black Friday Offer: VersaWeb has a Dedi Deal in Las Vegas, Dallas, and Miami! - November 23, 2024
- LowEndBoxTV: Are All Hetzner Locations Alike?No!And Piotr Has the Proof: “This is Clearly Not the Same Processor” - November 22, 2024
Leave a Reply