As Twilio recently learned, threat actors are able to breach internal corporate systems by stealing employee credentials through SMS phishing (smishing) attacks. The work-from-home paradigm notwithstanding as a potential contributing factor to smishing-based compromises, the incident demonstrates that organizations are not immune from smishing attacks targeting employee devices. It doesn’t matter if your organization uses Twilio or not, deconstructing what we know about the incident can go a long way toward protecting your employees and ultimately your organization from a similar fate.
Successful
Believe it or not, smishing is much more successful per capita than email-based phishing because people are far more likely to click links on their phones. While reports consistently cite that over 95 percent of phishing is delivered through email and only 1 percent delivered to phones, smishing experiences a significantly more successful click-thru rate versus email – at least 8x. According to Proofpoint, text messages have a 98 percent open rate, with recipients opening 90 percent within 3 minutes – those are great odds for an attacker.
Security Awareness
Organizations spend a lot of time training users on phishing tactics and campaigns, including distributing simulated phishing tests. But with 98 percent of text messages being opened, it’s important to incorporate smishing awareness into regular reminders, including the types of themes being used (hint: they are very similar to email-based phishing).
In the Twilio incident, current and former employees reported receiving text messages purporting to be from the IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. According to the report, the URLs used words including "Twilio," "Okta," and "SSO" to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. Furthermore, the text messages originated from U.S. carrier networks.
Sophisticated
While the phrase “sophisticated cyber actor” is thrown around a lot by organizations looking to deflect scrutiny after a compromise, the actors that breached Twilio do seem to demonstrate a higher than average level of tradecraft or have access to more resources than the typical financially motivated amateur threat actor. As reported by SecurityWeek, the threat actor has the capability to rotate through telco carriers and hosting providers with social engineering lures along with the ability to match Twilio employee names from sources with their phone numbers. Whether that information was previously stolen from Twilio during the May 2021 Codecov supply-chain attack, or by using databases of stolen or purchased subscriber information, the actors are able to personalize the text messages to make them convincing.
Read more at SecurityWeek.
