Think you’re too smart to be fooled by phishers? Think again.
Dan Gooding – August 11, 2022 10:57 PM UTC
enlarge/ This is definitely not a Razer mouse – but you get the idea. There has been a recent spate of phishing attacks that are so precise and well-executed that they succeed has fooled some of the most conscious minds working in the cybersecurity industry. On Monday, Tuesday and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare and networking equipment maker Cisco said phishers with phone numbers of employees and employees’ family members tricked employees into revealing their credentials. Phishers gain access to Twilio and Cisco’s internal systems. Cloudflare’s hardware-based 2FA keys prevent phishers from accessing its systems. Phisher Persistent, methodical, and clearly done their homework. Within a minute, at least 76 Cloudflare employees received text messages that used various tricks to trick them into logging into what they thought was their work account. The phishing site used a domain (cloudflare-okta.com) that was registered 40 minutes before the message, blocking the system Cloudflare uses to be alerted when a domain using its name was created (probably because new entries take time filling). Phishers also have ways to defeat forms of 2FA that rely on one-time passwords generated by authenticator apps or sent via text message.
Create a sense of urgency Like Cloudflare, both Twilio and Cisco received the same premise A text or phone call sent under the hood is an emergency — a sudden schedule change, an expired password, or a phone call under the guise of a trusted organization — that requires the target to act quickly.
Wednesday, it’s my turn. At 3:54 PM PT, I received an email purporting to be from Twitter notifying me that my Twitter account has just been verified. I was immediately suspicious because I didn’t apply for verification and didn’t want to. But the header says the email is from twitter.com, the link (which I opened with Tor on a secure machine) points to the real Twitter.com site, and nothing in the email or the linked page asks me for any information. I also noticed a checkmark popped up on my profile page. To the mail Satisfied with authenticity, I noticed my surprise on Twitter at 3:55.
What the hell. Twitter just verified my account, even though I adamantly refuse to give them my ID or any other information. I wonder why. — Dan Goodin (@dangoodin001) August 10, 2022
A few seconds later, at 3:56, I got a direct message purporting to be from Twitter’s verification department. It said to make my verification permanent I would need to reply to the message with my driver’s license, passport or other government issued ID.
I feel strongly about the inappropriateness of Twitter — — The company has been hacked at least three times and has admitted to misusing users’ phone numbers — to demand this kind of data. I am very angry. My workday is almost over. I’m still amazed that Twitter unexpectedly and truthfully gave away check marks I didn’t ask for. So, without reading the DM thoroughly, I tweeted a screenshot of it, along with a cynical comment about Twitter being untrustworthy.
I said it too soon. Sorry @twitter, you are not trustworthy. Go ahead and remove the blue checkmark. You didn’t get my ID to get you hacked again or to use it for marketing purposes. pic.twitter.com/dimLCLagdU