Skip to main content
close search
site logo

Cloudflare thwarts ‘sophisticated’ phishing attack strategy that bruised Twilio

Dissimilar responses from Cloudflare and Twilio bear important lessons in transparency, resiliency and access.

Published Aug. 9, 2022
Matt Kapko's headshot
Senior Reporter
A sample phishing text message that targeted Cloudflare employees.
Cloudflare employees were targeted with a phishing text message pointing to a seemingly legitimate URL.

Cloudflare

Twilio employees aren’t the only individuals recently targeted by a sophisticated phishing attack. 

Cloudflare on Tuesday said three employees fell for a phishing attack with very similar characteristics but, unlike Twilio, the content delivery network was able to thwart intrusion.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would likely be breached,” Cloudflare CEO Matthew Prince wrote in a blog post authored alongside engineers Daniel Stinson-Diess and Sourov Zaman.

Cloudflare employees began receiving phishing text messages pointing to a spoofed Cloudflare Okta login page more than two weeks before Twilio employees were targeted with similar messages. At least 76 Cloudflare employees received text messages on their personal and work phones in less than a minute, the company said. 

Some employees’ family members were targeted as well. 

Cloudflare said it found no sign of compromise when it reviewed access logs to its employee directory, a detail that further illustrates a heightened level of advanced tactics and determination mobilized by the threat actors behind this attack.

All phishing text messages originated from four phone numbers issued by T-Mobile, and directed employees to a domain registered at Porkbun less than 40 minutes before the campaign began, Cloudflare said. 

Attacks on third-party vendors such as Twilio and Cloudflare produce inherently greater risks because a breach could potentially compromise customer data, multiple analysts told Cybersecurity Dive. 

The downstream impact of an attack, such as the one that occurred at Twilio, depends on what was compromised and when, Allie Mellen, senior analyst at Forrester, said via email. 

Organizations, users and customers can all be at risk when employees unsuspectingly provide credentials to threat actors, granting access to internal systems and data. 

The compromise of Twilio’s two-factor authentication adds another worrying wrinkle to that mix.

“Twilio’s actions can serve as an impetus for other organizations to proactively strengthen their two-factor authentication security safeguards and policies, as well as consider multi-factor authentication alternatives,” said Ron Westfall, senior analyst and research director at Futurum Research.

A tale of two responses

The divergence between Cloudflare and Twilio’s response to the phishing attack bears important lessons in transparency, resiliency and access.

While Twilio said its investigation remains underway, it has yet to disclose how many customers are potentially impacted, how many employees were tricked into providing their credentials and what type of customer data was exposed as a result of the attack.

Twilio’s customers need to react, but they can’t make appropriate moves without more detail about the extent to which their data might be compromised, said Frank Dickson, group VP at IDC. The company could be more forthcoming with a timeline for when those details will be shared, he added.

Discovering and remediating a breach is just one part of the process, which takes about one-fifth the time of a full assessment and shutdown of all compromised vectors, according to Dickson.

Absent further details, Twilio also faces questions about the resiliency of its authentication security practices, and the level of access granted when those controls fail.

Some systems should require more than two factors for authentication, but additional safeguards can be established with network architecture, Dickson said. 

Segmenting access, implementing a zero-trust strategy and instituting least-privileged access controls can limit the blast radius following a breach, analysts said.

“Twilio needs to improve its response approach, especially since the company specializes in customer engagement software platform technology” and helps organizations meet some of their cybersecurity needs, Westfall said.

This incident should lead Twilio’s customers and partners to exercise greater caution in using the company’s products, he added. “This situation is not unique to Twilio, however the companies that have adopted a transparent and proactive approach have been able to restore a good degree of their brand integrity and trust in less time.”

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell