Shop Plans

Cloudflare And Twilio Targets Of A
Sophisticated Smishing Attack

Contents

Summary Of The Attack

  • Twilio and Cloudflare were targets of a sophisticated smishing attack.
  • Both companies’ employees phished and credentials were stolen.
  • Twilio’s security team also revoked access to the compromised employee accounts to mitigate the attack.
  • Cloudflare’s security systems in place stopped the attack from being successful, credentials weren’t enough to allow access to the company’s systems.

What Happened?

Cloudflare revealed on Tuesday, August 9th that they were also targeted by the threat actors who breached Twilio and gained unauthorized access to some of its systems on August 4th.

The threat actor sent phishing text messages to Twilio employees to trick them into entering their credentials on a malicious website.

.

How Does The Attack Work?

Twillio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack with a goal to steal employee credentials.

The format of the attacks was that the messages informed the recipients that they had expired passwords, schedule changes, and pointed to domains that included the words ‘Twilio’, ‘Okta’ and ‘SSO’.

Phishing messages sent to Twilio employees

The Cloudflare version was that similarly crafted messages were sent to their employees on July 20th.

The company, in their official statement, said that more than 100 SMS messages were sent to its employees and their families.

The messages were pointing to domains that appeared they belonged to Cloudflare.

Free IT Security Policies

Get a step ahead of your goals with our comprehensive templates.

Download Now
IT Security Policy Templates

Twilio VS Cloudflare Take On The Attack

The threat actors that targeted the companies’ employees managed to fool some employees from both companies into providing their credentials.

Twilio, confirmed that the attackers used the credentials to gain access to some of their internal systems, where they were able to access certain customer data.

From what they stated, they worked with the U.S. carriers to shut down the actos and worked with the hosting providers serving the malicious URLs to shut those accounts down.

Twilio’s security team also revoked access to the compromised employee accounts to mitigate the attack and engaged a leading forensic firm to aid their ongoing investigation.

While Twilio is taking remediation steps, Cloudflare, on the other hand, were able to stop the attack while it was running.

They did state that individual employees did fall for the phishing messages but they were able to thwart the attack through use of their Cloudflare One Products and physical security keys that they issued to every employee that are required to access all of their applications.

Every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey.

Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this one cannot gather the information necessary to log in to any of the Cloudflare systems.

The phishing messages sent to Cloudflare employees

The phishing messages sent to Cloudflare employees.

While the attacker attempted to log in to their systems with the compromised username and password credentials, they could not get past the hard key requirement.

In their official statement, they expressed that no Cloudflare systems were compromised.

Next Steps

The attacks have not yet been linked to a known threat actor, but Cloudflare has shared some indicators of compromise as well as information on the infrastructure used by the attacker.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Linkedin
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

AI Security

Cybersecurity Strategy

General Cybersecurity

Network Security

Penetration Testing

Ransomware

Recent Cyber Attacks

Small Business

Social Engineering

Vulnerability Management

$50/mo per device

Managed XDR Built For Small Business

Subscribe to easy cybersecurity and save thousands with a cloud-native managed detection and automated response solution.

Learn More

Related Breaches

PurpleSec

Get Secure Today.

Founded in 2019, PurpleSec is a veteran-owned cybersecurity company with a mission to help SMBs and startups affordably meet their security requirements.

Explore The Savings

Our Solutions

Virtual CISO

Defiance XDR

Social Engineering

Vulnerability Mgmt

Penetration Testing

Contact Us

Why PurpleSec?

About Us

Case Studies

How We Work

Our Leadership

Our Mission & Values

Linkedin Youtube Twitter

Learn With PurpleSec

Blog

Podcasts

Recent Cyber Attacks

Cybersecurity Insights

View All Resources