Phishing Campaign Hooks Twilio Communications Platform, Catches Customer Data

phishing campaign twilio customer data news
If we’ve learned anything from reporting on phishing attacks, it’s that no company, organization, or institution is immune from becoming the victim of one. Even the US Department of Defense recently fell victim to a $23.5 million phishing scam. If anything, larger organizations simply make for larger and more attractive targets, particularly when those organizations are entrusted with substantial amounts of customer data.

Speaking of which, Twilio, a major communications platform that services Voice over Internet Protocol (VoIP) integrations, announced over the weekend that it was hit by a phishing attack. The threat actors behind the attack were able to gain access to some of Twilio’s internal systems and view customer data. According to Twilio, the data implicated in this breach is related to a limited number of customer accounts.

The company has partnered with an unnamed forensics firm to conduct an investigation into the incident. The investigation is still ongoing. Twilio is reaching out to affected customers to notify them of the data breach and work with them to address any problems as more details are uncovered in the investigation. Twilio customers not directly contacted and notified by the company were not affected by the breach, so far as the evidence revealed by the investigation shows.

phishing campaign twilio customer data messages news
Smishing SMS messages sent to Twilio employees (Source: Twillio)

The attack in question was a smishing attack, which is shorthand for SMS phishing. The attackers carried out a smishing campaign that targeted employees of Twilio, as well as some other companies that contacted Twilio to report similar attacks. The attack relied on matching employee names and phone numbers so that the threat actors could contact specific Twilio employees with highly targeted SMS messages. The image above shows two of the smishing messages received by a Twilio employee, and messages received by other employees were similar in nature.

The messages falsely informed employees of expired passwords, schedule changes, or other similar notices that would require employees to login to view or address the cause for the notice. The messages prompted Twilio employees to open links to URLs that contained words such as “Twilio,” “SSO” (single sign-on), and “Okta,” which is an identity platform used by Twilio. Employees who visited these URLs were met by a webpage that mimicked Twilio’s sign-in page.

Evidently, some employees were duped by this smishing attack and entered their login credentials into the fake sign-in pages controlled by the attackers. The smishing messages were sent from phone numbers belonging to the US carrier networks, and Twilio worked with the carriers, as well as the hosting providers serving the URLs used in the attack, to shut down the malicious campaign. The Twilio Security Incident Response Team has committed to posting additional updates to the Twilio blog if there are any changes customers should be aware of.