Two weeks ago, Twilio and Cloudflare detailed a phishing attack so methodical and well-orchestrated that it tricked employees from both companies into revealing their account credentials. In the case of Twilio, the attack overrode its 2FA protection and gave the threat actors access to its internal systems. Now, researchers have unearthed evidence the attacks were part of a massive phishing campaign that netted almost 10,000 account credentials belonging to 130 organizations.
Based on the revelations provided by Twilio and Cloudflare, it was already clear that the phishing attacks were executed with almost surgical precision and planning. Somehow, the threat actor had obtained private phone numbers of employees and, in some cases, their family members. The attackers then sent text messages that urged the employees to log in to what appeared to be their employers’ legitimate authentication page.
In 40 minutes, 76 Cloudflare employees received the text message, which included a domain name registered only 40 minutes earlier, thwarting safeguards the company has in place to detect sites that spoof its name. The phishers also used a proxy site to perform hijacks in real time, a method that allowed them to capture the one-time passcodes Twilio used in its 2FA verifications and enter them into the real site. Almost immediately, the threat actor used its access to Twilio’s network to obtain phone numbers belonging to 1,900 users of the Signal Messenger.