Twilio Employees Duped By Text Message Phishing Attack – Cybersecurity Dive

Twilio employees duped by text message phishing attack – Cybersecurity Dive

The communications provider declined to say how many employees were duped and the amount of customers compromised.
Twilio
Twilio was beaten at its own game. The platform’s application programming interface protocols are used by more than 275,000 customers to verify identity via two-factor authentication and engage customers in an automated manner.
Many of today’s most popular apps, including Facebook and Uber, use Twilio to communicate alerts and important updates to customers via text messages, voice and video. The carry-on effect of a threat actor accessing customer data could be significant if Twilio’s customers are later compromised.
The threat actors deceived some Twilio employees into sharing Okta credentials and two-factor authentication codes with spoofed URLs containing “Twilio,” “Okta” and “SSO” for single sign-on. Those links directed employees to a landing page impersonating Twilio’s sign-in page.
The company said current and former employees reported receiving the text messages, which purported to be from its IT department and originated on U.S. carrier networks. 
Twilio said other organizations were subject to similar attacks and, despite a coordinated effort with network operators and hosting providers to stop the malicious messages and URLs, the threat actors resumed their attacks on other carriers and hosts.
“Based on these factors, we have reason to believe the threat actors are well organized, sophisticated and methodical in their actions,” Twilio said in a blog post.
The company asserted its use of modern and sophisticated threat detection and deterrence measures, which, Twilio said, makes the cyberattack notice especially painful. The threat actors behind the attacks have not yet been identified.
Twilio’s security team revoked access to compromised employee accounts after it discovered the attack, and the company said it’s notifying affected customers on an individual basis.
Get the free daily newsletter read by industry experts
Guidelines call for developers to attest they use secure software practices.
Companies trying to fill cybersecurity roles need to stop looking for unicorns and expand their search to qualified, but often overlooked, job candidates.  
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
Guidelines call for developers to attest they use secure software practices.
Companies trying to fill cybersecurity roles need to stop looking for unicorns and expand their search to qualified, but often overlooked, job candidates.  
The free newsletter covering the top industry headlines

source

Leave a Comment

Leave a Reply

Your email address will not be published.

Top 10 Cybersecurity Startups Known for Providing Business-Specific Solutions – Analytics Insight

Chemical Sector Next in Line for White House Plan to Incentivize Cybersecurity – Nextgov

FBI Honolulu Launches Cybersecurity Awareness Campaign — FBI – Federal Bureau of Investigation

SFC review of online services – enhancements identified for industry – Lexology