Twilio employees fell for phishing texts claiming to be from IT department

Share post:

Employees at Twilio fell for a text-based phishing scam last week, responding to messages pretending to be from the company’s IT department that compromised their credentials and led to the theft of customer data. It’s the latest example of staff members being tricked into giving away their user names and passwords, resulting in data theft. Twilio, which makes a messaging platform used by marketing departments for its ability to integrate with Facebook Messenger, WhatsApp, SMS, voice, email, and more, said a “limited” number of customer accounts were compromised. Still, it’s a blow to a company that counts huge multinational corporations as its customers. Szilveszter Szebeni, CISO and co-founder at Tresorit, a European encryption-based security software company, said that while continuous phishing testing of employees is the minimum organizations should do for protection, companies are not even safe using two-factor authentication. With a targeted attack, even accounts protected by 2FA can be hacked by stealing a session using a fake website. “The real solution for the industry is to go password-less,” he said, “Unfortunately the industry does not support it in every use case.” Related content: Successful phishing attacks up in 2021 In a statement, Twilio said on August 4th it became aware of unauthorized access to its information. Current and former employees reported receiving text messages purporting to be from Twilio’s  IT department. Typical messages suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a supplied URL. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. Those URLs were controlled by the attacker. example phishing message 1 (An example of a phishing text sent to a Twilio employee) “The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone number,” Twilio added. Victims who clicked on the link and entered their credentials had the username and password stolen. The attackers then used the stolen credentials to gain access to some of Twilio’s internal systems. “We have heard from other companies that they, too, were subject to similar attacks, and have co-ordinated our response to the threat actors,” Twilio said, “including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs. Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.” Twilio has revoked access to the compromised employee accounts. it has also  “re-emphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.” The post Twilio employees fell for phishing texts claiming to be from IT department first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Security bug may allow anyone to spoof Microsoft employee emails

A security researcher claims to have discovered a bug that enables anyone to impersonate Microsoft corporate email accounts,...

Cyber Security Today, June 19, 2024 – How an attacker hid on an IT network for three years

How an attacker hid on an IT network for three years Welcome to Cyber Security Today. It's Wednesday June...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways