Sign-up for the latest Lookout news and threat research
Twilio, Cloudflare and other organizations reported employees were targeted with a phishing campaign leveraging a kit codenamed 0ktapus. Tune in for this short episode to learn more about the mechanisms behind the phishing campaign and tips for mitigating this threat.
Hank Schless 00:00
Hey everybody, you're listening to Soapsuds, our five minute podcast series where we go over current events in cybersecurity, and review the lessons learned. I'm your host, Hank Schless.
Chances are that you've received a text message or an email at some point trying to impersonate a large vendor or maybe even the company that you work for. This is exactly what happened to employees at Twilio and Cloudflare recently. It was part of a month-long phishing campaign that compromised over 130 organizations and netted the credentials of close to 10,000 employees. So today, we're going to take a quick look at the chain of events that resulted in this breach. Plus, we'll discuss some of the red flags that both individuals and organizations alike can watch out for, to prevent breaches like this from occurring in the future. So what happened at the Lookout threat lab, we had some of our researchers look into some of the known artifacts of this attack, such as phishing URLs and IP addresses associated with in addition to other relationships, like the Whois registry and SSL certificates to see whether they could discover any additional information about the threat actor behind this. Between the work they did and work from other researchers out in the field, it was discovered that this phishing campaign uses a kit codenamed Octopus, with the zero at the start. There was the plan to steal 9931 login credentials, and use them to carry out subsequent supply chain attacks. It starts with an SMS message which seems harmless, and a link to a phishing page, which obviously seems legitimate in order to cover the intent of this attack, impersonating an Okta login page, where victims are asked to enter account credentials and multi-factor authentication codes. Once the victim enters their credentials, the malicious site transmits the credentials to a private Telegram channel where the threat actors can then retrieve them. With the combination of the login credentials and the MFA credentials, attackers could gain access to corporate VPN networks and other internal customer support systems to steal customer data. So with that customer data, attackers were actually able to quickly pivot and launch further supply chain attacks on Twilio as customers, including organizations like Signal and Digital Ocean and other familiar names. So what's the takeaway from all of this? What's obvious is that phishing continues to evolve from what we've known even just from a couple years ago to what we're seeing now. Mobile devices, in particular, have opened up limitless channels for phishing attacks. Think about all the apps you have on your phone or on your tablet that have a messaging functionality. These are places where phishing attacks can happen, social engineering can happen, and things like this attack can occur. The reason that they're being targeted is really that we tend to trust mobile devices with more sensitive information than maybe laptops or desktops, and attackers are well aware of this. And this trust, it doesn't only go into the data that we put on these devices, but we think about the mobile device as an extension of ourselves. So to admit that we can't trust it, maybe it's something that you can't trust yourself. So we all work with this trust. And for that reason, we keep these devices with us everywhere. And we think there's no way that they could act out of our own self interest. So because of that employees tend to be less careful when they're opening an unsolicited text message on their phone than when they're opening an email on their computer to their work account, for example. The other thing too, is that the smaller screens and the simplified user interface on mobile devices will hide a lot of the red flags that we know to look for with phishing attacks. And finally, these campaigns are getting more sophisticated. They're being sold and easy to use kits across the dark web, which means that even pretty new or unsophisticated actors can target specific organizations or employees or individuals with pretty complex attacks. So to help you assess your own security posture, here are some tips for keeping your organization safe from mobile phishing attacks. First, an employee should approach any message requesting that they verify their credentials with extreme caution. And this goes across personal and work reasons, right? If you get something about your personal bank account, asking you to log in from a number you've never interacted with before, that should be a huge red flag. Call your bank and see if they reached out to you at the same time. If you get something that claims to be from your IT department, call them. Places will always have a record of this. The other one, and this is pretty particular to this attack, is discrepancy and location, misspelled words or suspicious URLs, that really are dead ringers for a phishing campaign, an attack like this, which triggers an MFA code or triggers your MFA app to send you a notification. The location will sometimes be incorrect. So for example, if you're in San Francisco, and the notification says that you're trying to log in from Boston, that should probably be a pretty big red flag that something funky is going on. And you as an individual or as an employee should immediately deny that access request and notify their security team immediately. So again, looking at this particular incident, there were actually about just over 30% of Signal users who were targeted in this Twilio breach with a text message verification code that came while they were asleep. So if the employee or if you, as the employee, didn't try to log in anywhere yourself, you should contact your internal IT and security teams immediately. Verify whether that communication was valid. If it's not valid, those teams can then make the rest of the company aware of potential inbound attacks that are similar in nature. And really, those seconds of critical thinking could save your organization from a data breach. Now to wrap it all up, what this incident demonstrates is how deeply interconnected cloud services are, and the risks that integration can present such that attackers can quickly jump from one target or one service to the next. That's it for today's Suds. I'm your host, Hank Schluss. Thanks so much for listening.