It has been reported that communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. The San Francisco-based company, which allows users to build voice and SMS capabilities — such as two-factor authentication (2FA) — into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to some Twilio customer accounts on August 4.
Full story can be found here: https://techcrunch.com/2022/08/08/twilio-breach-customer-data/
Commenting on the news are the following cybersecurity experts:
Many of the data breaches we have seen in the past few months have human error lurking within their backstories. Phishing is a type of cybercrime in which victims are contacted by an attacker posing as a trustworthy entity in order to obtain sensitive information or data, such as login credentials, credit card details, or other personally identifiable information. One of the best approaches to mitigate such attacks is to adopt the Zero Trust framework. Zero Trust means you assume you’ve already been breached, provide no implicit trust, verify again and again, and only provide minimal privileges upon successful authentication. Protection methods such as tokenization can complement this framework because by tokenizing sensitive data immediately upon entering the corporate data ecosystem—and then not de-protecting it—people can have minimal or no access to the truly sensitive information while still being able to accomplish tasks (like data analytics). Positive trends such as Zero Trust architectures, supported by more data-centric protection methods (protecting the data itself rather than the borders around it), can really help in the long run.
In recent times we’ve seen a large uptick in SMS phishing (Smishing) scams. One of the reasons for their popularity is because corporate controls such as email gateways or other perimeter controls don’t filter out SMS messages. Also, people are less likely to inspect links on their phone and can easily follow links while distracted. Therefore, it’s vitally important that people are told of the threats that can occur via SMS and encourage employees to report any suspicious messages they may receive so that the security team can investigate appropriately.
Attackers don’t need to be sophisticated and smart when users are willing to click on links from unsolicited emails and SMS messages. They continue to leverage phishing attacks because clearly they still work. While scammers prey on the trusting element of human nature, organizations should also think about how their technology investments support their education and awareness efforts. It’s time to think beyond the prevention box when it comes to phishing. Organizations spend about 75% of their security budgets on prevention tools. Yet we all know that it is only a matter of time before a breach occurs.
We know that motivated, sophisticated cybercriminals can gain access to nearly any organization. Smart defenders should have a defensive playbook around the midgame, where the attacker pivots through an organization’s infrastructure, taking actions that can alert the team to the intrusion — command and control communications, data staging and lateral movement — before they’re able to access, exfiltrate or encrypt critical data.
This is a storybook case of the damage phishing links can do. Compromised credentials are often derived from a URL in a phishing message. A carefully crafted message containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company should aim to nip this problem early on by identifying and alerting these malicious links.
There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domains/URL lookups. However, like any signature-based approach, newly-crafted phishing URLs cannot be identified this way. New machine learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries, such as technology and communications providers. Innovative organisations need a modern approach to securing their environments in order to spot these types of attacks quickly. To help achieve this, machine learning-powered SIEM, automated investigation and response tools, and UEBA technology should absolutely be part of their security stack.
The alleged cyber-attack on digital authentication provider Twilio reminds us that organisations’ IT security programs are only as strong as their weakest links. Here, we see how social engineering and “smishing” tactics can lead to fraudulent account access and ultimately impact a brand’s reputation. The situation also demonstrates that users have a more intimate technical relationship with their mobile devices, making mobile-based attacks much more impactful on end-users. In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user’s “Business Need to Know” are powerful deterrents. You also need to re-educate your company’s users that phishing attacks don’t occur only by email.