LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Those Spam Texts Are Coming From Twilio: They've Been Hacked

TwilioTwilio has suffered a data breach and the attackers “used the stolen credentials to gain access to some of our internal systems”.

Twilio is a messaging platform with a nice API.  I used it last year to setup an Eliza-like SMS auto-responder to amuse my daughter while traveling.  With simple code, you can setup automated or responsive SMS (and other messaging platform) texting.

Obviously, if this platform was subverted, the spamming potential for attackers is obvious.

I’m reminded of a few LowEndTalk war stories over the years from people who rent Mac (macOS) cheap VPS systems.  The main problem?  People sign up and start blasting out iMessage spam.

The attack was a “sophisticated” social engineering hack where employees received messages allegedly originating from Twilio IT when then allowed stealing employee credentials.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.

I’m guessing these “sophisticated abilities” were achieved by LinkedIn and Google.

Sounds like someone worked up a comprehensive attack on Twilio and it worked.  The writeup has info and screenshots.


No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *