BLOG

Flash Report: Twilio Social Engineering Attack

3 minute read

On August 8, 2022, the ZeroFox Threat Intelligence team observed a data breach impacting Twilio and its customers due to a successful “smishing” campaign. ZeroFox has assessed the potential impact and has released the following.

Key Findings

  • Enterprise software vendor Twilio confirmed today that hackers accessed an undisclosed amount of its customer data after an SMS phishing (smishing) campaign. 
  • Twilio began contacting users impacted by the attack.
  • Nevertheless, ZeroFox Intelligence recommends that Twilio users change their account login credentials and enable two-factor authentication if possible.

Analyst Commentary

ZeroFox Intelligence is monitoring an incident involving Twilio, which confirmed that hackers accessed its customer data after a successful smishing campaign. Twilio announced publicly today that the campaign targeted current and former employees with fraudulent SMS messages claiming to be from Twilio’s IT department and stating that the users’ passwords had expired. The attackers were then able to use the stolen credentials to gain access to internal systems and, subsequently, to certain customer data. Twilio is contacting all affected customers as of this writing. 

  • The messages referenced “Okta” and “SSO” (Single Sign On) to entice the employees to click on a link guiding them to a fraudulent, threat-actor-controlled landing page that impersonated Twilio’s sign in page. 
  • The credibility of the smishing messages was increased by matching employee names from sources with their phone numbers. 

ZeroFox Intelligence notes the potential for some supply chain impact on downstream customers. Twilio provides communication tools for making and receiving calls, sending and receiving text messages, and other communication functions—including SMS-based two-factor authentication. Twilio is known to work with political action committees and other U.S. government entities to communicate with constituents and donors. If threat actors discover a way to leverage Twilio’s services to obtain authenticated sessions from downstream customers, multiple end users could be compromised for follow-on malicious activity. 

Example of Malicious SMS Message Directed at Twilio Employees
Source: hXXps://www.twilio[.]com/blog/august-2022-social-engineering-attack

Recommendations

  • If not already enabled, turn on the compromised credentials rule for all relevant entities and ensure relevant emails are entered for those entities, or reach out to [email protected] for assistance.
  • Alert employees to potential social engineering attacks, including smishing text messages relating to this campaign.
  • In addition to enabling two-factor authentication, consider using a password manager as an additional protective measure against smishing.

Sources

  1. hXXps://www.twilio[.]com/blog/august-2022-social-engineering-attack
  2. hXXps://techcrunch[.]com/2022/08/08/twilio-breach-customer-data/
  3. hXXps://www.cyberscoop[.]com/twilio-campaign-hack-text/
See ZeroFox in action