Why Cloudflare was protected against the SMS phishing attack that compromised Twilio
Hackers don’t break in, they login.
A number of employees at Twilio recently fell for a very simple, unsophisticated SMS phishing attack which has led to some of their customers being compromised. Those customers will now see their employees targeted with similar phishing attacks in the future — it’s just a matter of time.
The SMS phishing messages in question bypassed carriers’ SMS Firewalls, as well as Twilio’s endpoint security. The phishing attack even bypassed Twilio’s own anti-phishing 2 factor authentication (2FA) solution, Authy. According to the Authy website:
“Go beyond the password and protect yourself from hackers and account takeovers.”
To add insult to injury, the SMS phishing messages tricked employees who work with SMS-based applications all day, every day — and they were tricked with URLs that impersonated one of their own URLs.
At least 76 Cloudflare employees were targeted in a similar phishing attack, with 3 employees falling for the lure — they also fell for a URL that impersonated one of their own URLs. Their SMS messages also went through carrier networks and their SMS Firewalls, as well as their own endpoint protection.
As I’ve been saying for many years, some of the smartest security professionals in the world fall for phishing attacks — it’s not something “stupid people” do. Both Cloudflare and Twilio employ skilled people. The point I’m making here is this — if these security vendor employees can fall for phishing attacks that bypass their own security controls while impersonating their own URLs, so can you, and everyone you know — literally.
If Twilio can fall for a targeted SMS phishing attack, anyone can…
- Authy is a 2FA solution owned by Twilio, and designed to protect organizations from phishing-led attacks like this one
- Twilio is the world’s biggest provider of A2P traffic, with anti-phishing threat detection built-in
- The phishing URL that Twilio employees fell for, impersonated a Twilio URL
We know that both Twilio and Cloudflare employees use 2 factor authentication (2FA) for an extra layer of security, but unfortunately for Twilio (as well as their customers who are now compromised), their employees were not protected in this attack. So it’s not their fault. It’s the fault of all security controls that failed to keep them safe.
As I first wrote in 2019 at the request of the PKI Consortium, a reverse-proxy phishing attack can bypass almost every security solution on the market, including password managers like 1Password and LastPass, as well as 2FA apps like Authy and Google Authenticator.
A targeted man-in-the-middle attack is virtually impossible for any person to detect. When persistent, it’s virtually impossible for their employer to combat. This type of attack requires a new concept called “Zero Trust URL & Web Access Authentication” (trust no URL, always verify).
If Cloudflare employees can fall for a phishing attack, anyone can…
On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page.
In less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employee’s family members. According to Cloudflare, they have not yet been able to determine how the attacker assembled the list of employee’s phone numbers. I’m surprised by this because we know Okta reported a similar cyberattack on their network a few months ago — during which, some of their customer data (e.g. Cloudflare) was compromised.
The phishing messages came from four phone numbers associated with T-Mobile-issued SIM cards, meaning T-Mobile doesn’t have effective anti-phishing security for their outbound traffic. This is the costly problem SMS Firewalls are unable to address.
Why Cloudflare was safe from this attack
While three Cloudflare employees did fall for the SMS message and they did enter their credentials on the website, the company uses physical security keys from vendors such as YubiKey for 2FA. 🦾
Hardware keys tie login credentials with the verified URLs saved for each website and service. The key will only authenticate a URL that matches the one stored on the device. It won’t authenticate phishing URLs, even when the website or service looks legitimate. This is a “Zero Trust” strategy for URL & Web Access Authentication. We have to give full credit to Cloudflare for avoiding a terrible outcome with a Zero Trust strategy, but their employees are still exposed to future phishing attacks like this one. They are just as vulnerable now as they were before this attack — additional training will not make a bit of a difference — how many times can you say “don’t open links” before realizing it’s not an effective strategy for cybersecurity. And adding more of the same anti-phishing threat detection is the silliest thing I’ve heard, because attackers use URLs we don’t know about — see my timeline above as reported by Cloudflare.
This point forward is a full blown self-promotion of how MetaCert addresses this problem. I can’t possible avoid talking about MetaCert given it’s the only company in the world who can stop SMS Phishing attacks with a kill switch-like “Zero Trust” strategy.
How MetaCert could have killed this attack before it even started…
Unfortunately, hardware keys like Yubikey that comply with the FIDO U2F open authentication standard only work on a few hundred websites and services, and they’re not designed for SMS infrastructure. That leaves “Zero Trust SMS”…
If carriers adopted a “Zero Trust SMS” strategy, these phishing attacks would never have happened. They wouldn’t have gone past the attacker’s own test. Every single phishing URL that attackers tried to send, would have failed to authenticate and every employee would have been redirected to a “CAUTION” page — similar to the one below.
The Cloudflare phishing URL above should now be blocked by SMS Firewalls, but they’re not — it’s still possible to send the phishing URL by SMS to subscribers on every major carrier in the US and Canada — as well as all major mobile operators in the UK and Ireland. Every SMS Firewall vendor is failing to detect and block this known phishing URL at the time of writing this article. That might change by the time you read this.
I used our own Twilio app to run these tests — that means Twilio isn’t blocking these known phishing URLs even after they have been investigated and confirmed as dangerous. How anyone can expect Twilio to block unknown phishing URLs is beyond me if they can’t block known ones. It’s time for the telco industry to employ anti-phishing cybersecurity experts. Sinch and similar companies are all in the same boat as Twilio — there’s no difference aside from the fact that Twilio is likely to have much more robust security controls than their smaller competitors.
In December 2017, (Yubikey launched in 2018) MetaCert pioneering the concept of Zero Trust URL & Web Access Authentication — it’s like a kill switch for phishing attacks across any platform, hardware device, or software application. At its core, is the world’s biggest database of verified internet addresses, and an extensive set of services that do incredible things others haven’t thought of yet.
Conceptually, MetaCert works in a similar way to a hardware key, but our unique security system authenticates many billions of URIs across the Internet — hardware keys only work for a few hundred websites and services.
Zero Trust SMS is the only way to stop ALL SMS phishing attacks
It’s similar to an SMS Firewall, but much smaller and easier to integrate, and much more effective and reliable for anti-phishing. It does not detect “SPAM” as that’s an easy win for SMS Firewalls — there’s little benefit in us building a better version.
Carriers don’t care enough to pay for a dedicated anti-phishing security solution, and we don’t care enough about SPAM.
90% of the authentication system and associated services run on MetaCert’s infrastructure. The network appliance only represents 10% of the solution.
If Verizon, T-Mobile, and other carriers in the US had our Zero Trust appliance on their network, EVERY deceptive URL would have failed to authenticate. Cloudflare employees wouldn’t even have seen the login page, let alone give up their usernames and passwords. Twilio wouldn’t have been breached, and their customers wouldn’t have been compromised and now worried about their employees being targeted with similar targeted attacks.
I hope this particular cyberattack proves that Zero Trust is the ONLY way to stop every kind of SMS phishing attack. We need to assume every URL is dangerous, unless verified/authenticated. This is precisely why no person or entity has ever fallen for a dangerous link, URL, message, download, login page, website, or service when protected by MetaCert.
The following does not, and will not protect your employees
- Don’t open links
- We never ask you for [insert text] so don’t trust any messages that request this information.
Twilio, Cloudflare, Microsoft, and Okta are cybersecurity vendors. Their employees are as well trained as they can be. They have been told the same advice over and over again. At what point will people start to realize that this is NOT a security solution. Stop talking about what employees should and shouldn’t do, and start talking about how you are going to protect your employees from these cyberattacks. Imagine how terrible these particular employees feel — they will feel like they let their team and their customers down. But that’s not true.
I was recently interviewed by the producer’s of America’s Most Wanted about all of this in the context of a Russian hacker who stole over a hundred million dollars. It should be out on Audible in the coming months. Phishing is 95% psychology / 5% technology.
My other articles on this subject that might interest you:
- A curated list of phishing attacks on employees at Sitel Okta Microsoft Globant Nvidia T-Mobile Cloudflare and Twilio | by Paul Walsh | Aug, 2022 | Medium
- An Open Letter to Mobile Operators: How to Stop SMS Phishing Attacks
- Email Phishing vs SMS Phishing And Why We Should Stop Blaming Mobile Operators for SMS-Led Attacks
- Why phishing is not sophisticated and certainly not new
- Phishing Predictions for 2021, 2022, 2023, 2024, 2025
- Why we can’t use AI for URL recognition inside SMS messages
- Why home delivery scams are NOT getting smarter — as suggested by Sophos
- How SMS stakeholders can reduce spam and phishing messages on behalf of mobile operators
- How Mobile Operators, Brands, and Banks Can Build Better SMS Marketing Campaigns
- How Vodafone and Three Can Protect Subscribers in Ireland From SMS Phishing Attacks Like FluBot
- Why anti-phishing awareness training and advice is almost always wrong
- How to evaluate security vendors for a Zero Trust strategy to combat phishing-led attacks