PHISHERS OF MEN —
An exceptionally resourceful threat actor has targeted multiple companies in recent days.
Dan Gooding –
August 9, 2022 11:33 PM UTC
At least two security-sensitive companies (Twilio and Cloudflare) are being targeted for phishing attacks by an advanced threat attacker who not only has employees’ home phone numbers, but also employees The home phone number of the family member. Two-factor authentication and communications service provider in San Francisco In the case of Twilio, unknown hackers successfully phished an undisclosed number of employees’ credentials and gained unauthorized access to the company’s internal systems from there, the company said. The threat actor then used that access to access data in an undisclosed number of customer accounts.
Two days after Twilio’s disclosure, also headquartered in San Francisco Content delivery network Cloudflare revealed that it’s also being targeted in a similar fashion. Cloudflare said three of its employees fell for the phishing scam, but the company used hardware-based MFA keys to prevent potential intruders from accessing its internal network.
Well organized, mature, methodical
In both cases, the attacker somehow obtained the Home and work phone numbers and, in some cases, their family members were also obtained. The attackers then sent text messages disguised as official company communications. These messages make false claims, such as an employee’s schedule has changed, or that the password they use to log into their work account has changed. Once an employee enters their credentials into the fake site, it initiates a download of a phishing payload that, when clicked, installs the remote desktop software from AnyDesk.
Cloudflare
Twilio
attackers attack with almost surgical precision. At least 76 employees received a message in the first minute of the attack on Cloudflare. The messages came from multiple phone numbers belonging to T-Mobile. The domain used in the attack was registered only 40 minutes ago, hindering the domain protection that Cloudflare uses to hunt down imposter sites. “Based on these factors, we have Reasons to believe that the actions of the threat actors were well-organized, sophisticated, and methodical,” Twilio wrote. “We have not yet identified the specific threat actors working here, but have reached out to law enforcement in our work. Social engineering attacks are inherently sophisticated, sophisticated, and designed to challenge state-of-the-art defenses.”
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman — CEO of Cloudflare Officers, senior security engineers and incident response leaders — share a similar view. “This is a sophisticated attack on employees and systems, we It is believed that most organizations are likely to be compromised,” they wrote. “Given that the attackers targeted multiple organizations, we wanted to share here a compendium of what we’ve seen to help other companies identify and mitigate this attack.”
Twilio and Cloudflare say they don’t know how phishers got their employee numbers. Impressive despite having 3 employees Despite the scam, Cloudflare has kept its systems safe from compromise. The company’s use of MFA FIDO2 compliant hardware-based security keys is a key reason. If the company relied on sending one-time passwords in text messages, or even passwords generated by authentication apps, things could be different. Cloudflare official explanation: When the victim completes the phishing page, the credentials are immediately forwarded to the attacker via the messaging service Telegram. This real-time relay is important because the phishing page also prompts for a time-based one-time password (TOTP) code. Presumably the attacker receives the credentials in real time, putting them Entered into the victim company’s actual login page, and for many organizations that generate a code sent to the employee is displayed via SMS or a password generator. The employee would then enter a TOTP code on the phishing site, which would also be forwarded to the attacker. An attacker could then use the TOTP code to access the company’s actual login page before it expires — beating most two-factor authentication implementations.
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why. “Having a culture of paranoia but not reproach is essential for safety to important,” the officials wrote. “The three employees involved in the phishing scam were not reprimanded. We are all human and we all make mistakes. It is critical that when we do, we report them and don’t cover them up.”
Two days after Twilio’s disclosure, also headquartered in San Francisco Content delivery network Cloudflare revealed that it’s also being targeted in a similar fashion. Cloudflare said three of its employees fell for the phishing scam, but the company used hardware-based MFA keys to prevent potential intruders from accessing its internal network.
Well organized, mature, methodical
In both cases, the attacker somehow obtained the Home and work phone numbers and, in some cases, their family members were also obtained. The attackers then sent text messages disguised as official company communications. These messages make false claims, such as an employee’s schedule has changed, or that the password they use to log into their work account has changed. Once an employee enters their credentials into the fake site, it initiates a download of a phishing payload that, when clicked, installs the remote desktop software from AnyDesk.
Cloudflare
Twilio
attackers attack with almost surgical precision. At least 76 employees received a message in the first minute of the attack on Cloudflare. The messages came from multiple phone numbers belonging to T-Mobile. The domain used in the attack was registered only 40 minutes ago, hindering the domain protection that Cloudflare uses to hunt down imposter sites. “Based on these factors, we have Reasons to believe that the actions of the threat actors were well-organized, sophisticated, and methodical,” Twilio wrote. “We have not yet identified the specific threat actors working here, but have reached out to law enforcement in our work. Social engineering attacks are inherently sophisticated, sophisticated, and designed to challenge state-of-the-art defenses.”
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman — CEO of Cloudflare Officers, senior security engineers and incident response leaders — share a similar view. “This is a sophisticated attack on employees and systems, we It is believed that most organizations are likely to be compromised,” they wrote. “Given that the attackers targeted multiple organizations, we wanted to share here a compendium of what we’ve seen to help other companies identify and mitigate this attack.”
Twilio and Cloudflare say they don’t know how phishers got their employee numbers. Impressive despite having 3 employees Despite the scam, Cloudflare has kept its systems safe from compromise. The company’s use of MFA FIDO2 compliant hardware-based security keys is a key reason. If the company relied on sending one-time passwords in text messages, or even passwords generated by authentication apps, things could be different. Cloudflare official explanation: When the victim completes the phishing page, the credentials are immediately forwarded to the attacker via the messaging service Telegram. This real-time relay is important because the phishing page also prompts for a time-based one-time password (TOTP) code. Presumably the attacker receives the credentials in real time, putting them Entered into the victim company’s actual login page, and for many organizations that generate a code sent to the employee is displayed via SMS or a password generator. The employee would then enter a TOTP code on the phishing site, which would also be forwarded to the attacker. An attacker could then use the TOTP code to access the company’s actual login page before it expires — beating most two-factor authentication implementations.
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why. “Having a culture of paranoia but not reproach is essential for safety to important,” the officials wrote. “The three employees involved in the phishing scam were not reprimanded. We are all human and we all make mistakes. It is critical that when we do, we report them and don’t cover them up.”
Cloudflare
Twilio
attackers attack with almost surgical precision. At least 76 employees received a message in the first minute of the attack on Cloudflare. The messages came from multiple phone numbers belonging to T-Mobile. The domain used in the attack was registered only 40 minutes ago, hindering the domain protection that Cloudflare uses to hunt down imposter sites. “Based on these factors, we have Reasons to believe that the actions of the threat actors were well-organized, sophisticated, and methodical,” Twilio wrote. “We have not yet identified the specific threat actors working here, but have reached out to law enforcement in our work. Social engineering attacks are inherently sophisticated, sophisticated, and designed to challenge state-of-the-art defenses.”
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman — CEO of Cloudflare Officers, senior security engineers and incident response leaders — share a similar view. “This is a sophisticated attack on employees and systems, we It is believed that most organizations are likely to be compromised,” they wrote. “Given that the attackers targeted multiple organizations, we wanted to share here a compendium of what we’ve seen to help other companies identify and mitigate this attack.”
Twilio and Cloudflare say they don’t know how phishers got their employee numbers. Impressive despite having 3 employees Despite the scam, Cloudflare has kept its systems safe from compromise. The company’s use of MFA FIDO2 compliant hardware-based security keys is a key reason. If the company relied on sending one-time passwords in text messages, or even passwords generated by authentication apps, things could be different. Cloudflare official explanation: When the victim completes the phishing page, the credentials are immediately forwarded to the attacker via the messaging service Telegram. This real-time relay is important because the phishing page also prompts for a time-based one-time password (TOTP) code. Presumably the attacker receives the credentials in real time, putting them Entered into the victim company’s actual login page, and for many organizations that generate a code sent to the employee is displayed via SMS or a password generator. The employee would then enter a TOTP code on the phishing site, which would also be forwarded to the attacker. An attacker could then use the TOTP code to access the company’s actual login page before it expires — beating most two-factor authentication implementations.
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why. “Having a culture of paranoia but not reproach is essential for safety to important,” the officials wrote. “The three employees involved in the phishing scam were not reprimanded. We are all human and we all make mistakes. It is critical that when we do, we report them and don’t cover them up.”
attackers attack with almost surgical precision. At least 76 employees received a message in the first minute of the attack on Cloudflare. The messages came from multiple phone numbers belonging to T-Mobile. The domain used in the attack was registered only 40 minutes ago, hindering the domain protection that Cloudflare uses to hunt down imposter sites. “Based on these factors, we have Reasons to believe that the actions of the threat actors were well-organized, sophisticated, and methodical,” Twilio wrote. “We have not yet identified the specific threat actors working here, but have reached out to law enforcement in our work. Social engineering attacks are inherently sophisticated, sophisticated, and designed to challenge state-of-the-art defenses.”
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman — CEO of Cloudflare Officers, senior security engineers and incident response leaders — share a similar view. “This is a sophisticated attack on employees and systems, we It is believed that most organizations are likely to be compromised,” they wrote. “Given that the attackers targeted multiple organizations, we wanted to share here a compendium of what we’ve seen to help other companies identify and mitigate this attack.”
Twilio and Cloudflare say they don’t know how phishers got their employee numbers. Impressive despite having 3 employees Despite the scam, Cloudflare has kept its systems safe from compromise. The company’s use of MFA FIDO2 compliant hardware-based security keys is a key reason. If the company relied on sending one-time passwords in text messages, or even passwords generated by authentication apps, things could be different. Cloudflare official explanation: When the victim completes the phishing page, the credentials are immediately forwarded to the attacker via the messaging service Telegram. This real-time relay is important because the phishing page also prompts for a time-based one-time password (TOTP) code. Presumably the attacker receives the credentials in real time, putting them Entered into the victim company’s actual login page, and for many organizations that generate a code sent to the employee is displayed via SMS or a password generator. The employee would then enter a TOTP code on the phishing site, which would also be forwarded to the attacker. An attacker could then use the TOTP code to access the company’s actual login page before it expires — beating most two-factor authentication implementations.
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why. “Having a culture of paranoia but not reproach is essential for safety to important,” the officials wrote. “The three employees involved in the phishing scam were not reprimanded. We are all human and we all make mistakes. It is critical that when we do, we report them and don’t cover them up.”
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman — CEO of Cloudflare Officers, senior security engineers and incident response leaders — share a similar view. “This is a sophisticated attack on employees and systems, we It is believed that most organizations are likely to be compromised,” they wrote. “Given that the attackers targeted multiple organizations, we wanted to share here a compendium of what we’ve seen to help other companies identify and mitigate this attack.”
Twilio and Cloudflare say they don’t know how phishers got their employee numbers. Impressive despite having 3 employees Despite the scam, Cloudflare has kept its systems safe from compromise. The company’s use of MFA FIDO2 compliant hardware-based security keys is a key reason. If the company relied on sending one-time passwords in text messages, or even passwords generated by authentication apps, things could be different. Cloudflare official explanation: When the victim completes the phishing page, the credentials are immediately forwarded to the attacker via the messaging service Telegram. This real-time relay is important because the phishing page also prompts for a time-based one-time password (TOTP) code. Presumably the attacker receives the credentials in real time, putting them Entered into the victim company’s actual login page, and for many organizations that generate a code sent to the employee is displayed via SMS or a password generator. The employee would then enter a TOTP code on the phishing site, which would also be forwarded to the attacker. An attacker could then use the TOTP code to access the company’s actual login page before it expires — beating most two-factor authentication implementations.
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why. “Having a culture of paranoia but not reproach is essential for safety to important,” the officials wrote. “The three employees involved in the phishing scam were not reprimanded. We are all human and we all make mistakes. It is critical that when we do, we report them and don’t cover them up.”
Twilio and Cloudflare say they don’t know how phishers got their employee numbers. Impressive despite having 3 employees Despite the scam, Cloudflare has kept its systems safe from compromise. The company’s use of MFA FIDO2 compliant hardware-based security keys is a key reason. If the company relied on sending one-time passwords in text messages, or even passwords generated by authentication apps, things could be different. Cloudflare official explanation: When the victim completes the phishing page, the credentials are immediately forwarded to the attacker via the messaging service Telegram. This real-time relay is important because the phishing page also prompts for a time-based one-time password (TOTP) code. Presumably the attacker receives the credentials in real time, putting them Entered into the victim company’s actual login page, and for many organizations that generate a code sent to the employee is displayed via SMS or a password generator. The employee would then enter a TOTP code on the phishing site, which would also be forwarded to the attacker. An attacker could then use the TOTP code to access the company’s actual login page before it expires — beating most two-factor authentication implementations.
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why. “Having a culture of paranoia but not reproach is essential for safety to important,” the officials wrote. “The three employees involved in the phishing scam were not reprimanded. We are all human and we all make mistakes. It is critical that when we do, we report them and don’t cover them up.”
We confirmed that three Cloudflare employees fell for phishing messages and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee in the company gets a FIDO2-compliant security key from a vendor such as YubiKey. Because hard keys are tied to users and implement source binding, even a sophisticated real-time phishing operation like this cannot gather the information needed to log into any of our systems. When attackers try to log into our systems with compromised username and password credentials, they cannot pass the hard key requirement.
Cloudflare went on to say it wasn’t punishing employees who fell for the scam and explained why.
