Twilio hacked by phishing campaign targeting internet companies

Discussion in 'other security issues & news' started by guest, Aug 8, 2022.

  1. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    No, TOTP-based 2FA codes are not "are not send" to Authy when someone tries to login to website.
    You don't have a clue, because you clearly not used Authy or any other TOTP-based 2FA.
    https://en.wikipedia.org/wiki/Time-based_one-time_password

    Maybe just try it for educational purposes before making so many comments on a subject?
     
  2. guest

    guest Guest

    Twilio breach let hackers see Okta's one-time MFA passwords
    By Ionut Ilascu @Ionut_Ilascu - August 28, 2022
    Okta: Detecting Scatter Swine: Insights into a relentless phishing campaign
     
    Last edited by a moderator: Sep 3, 2022
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    @Rasheed187

    I'm with you mostly 100% on your assessment, and I too am trying to make sense of it. But from one of the links in this thread

    https://arstechnica.com/information-technology/2022/08/phishers-breach-twilio-and-target-cloudflare-using-workers-home-numbers/

    I found this:

    https://cdn.arstechnica.net/wp-content/uploads/2022/08/cloudflare-phishing-attack-640x223.png



    Underlining added by me

    So maybe the biggest takeaway for me with this is that it all begins with someone falling for a phishing scam. If the victim doesn't fall for the phishing scam in the first place, they won't fall victim to this. The other part of the attack, if I understand correctly, involved the malicious actors gaining access to the company's systems to steal customer information. There is nothing the victims can do about that.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You can not be serious? Maybe first try to understand what someone means before commenting? I have a question to you. When do you need ''one time passwords'' that you will receive via SMS or authentication app like Authy? So which activity will trigger this? Only when you login to some real (legit) website, is this correct or not?
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    I get my 2FA code whenever I want. I just open an Authy app (or any other TOTP-based authenticator) and it is just there. It doesn't matter if I visit any website or not.... What activity triggers it? Opening an authenticator app.... Codes are created constantly with 30 seconds interval.... Smartphone can be in airplane mode and basic functionality of showing 2FA codes will still work.

    It is completly different when it comes to SMS-based authentication which I no longer use.


    Maybe just, like, try it? Or read Wikipedia page?
     
    Last edited: Aug 29, 2022
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    My bad, I now understand what you mean, and it was a bit of a miscommunication. What I described applies only to SMS based 2FA and not to authentication apps like Authy and Google Authenticator. I honestly thought that Authy worked a bit similar to SMS based 2FA, with the only difference that the OTP was being received inside the desktop/smartphone app.

    For the last 20 years I have been using hardware token devices (OneSpan DigiPass) to login to my online bank, I now wonder if they are also vulnerable to phishing attacks, because I always figured that these devices are always tied to the legit banking server, so on a fake banking site it wouldn't generate the right OTP, so this also added to my confusion about Authy. I thought it was a bit more advanced.

    Sorry totally missed this post. But if this all is true, then the biggest takeaway for me is that 2FA based on authentication apps like Authy is pretty much crap! I mean is it really this simple to simply fool people into giving up their 2FA code, and then it's game over? Wouldn't it make more sense that Authy would simply not work on fake phishing websites? It seems like they did indeed try to tackle this problem with U2F based solutions like YubiKey, and the new PassKey system introduced by Apple will also solve the problem with credential phishing.
     
  7. guest

    guest Guest

    How 1-Time Passcodes Became a Corporate Liability
    By Brian Krebs - August 30, 2022
     
    Last edited by a moderator: Sep 3, 2022
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, this article sums it up quite well, 2FA via authentication apps like Authy is very overhyped, because of the simple fact that it doesn't solve the phishing problem. This was a disaster waiting to happen, and it's quite ironic that Twilio, the maker of Authy, now got hacked themselves because they weren't protecting employees against phishing.

    And from what I've read, this wasn't even a sophisticated phishing attack, because advanced phishing tools like Evilginx weren't even used. Also weird that Twilio didn't use any ''device fingerprinting'' solution, then they would have known that hackers were trying to login. So the solution is to use hardware security keys like YubiKey and passwordless authentication might also become a solution.

    https://www.beyondidentity.com/blog/are-you-using-phishing-resistant-mfa
    https://www.onespan.com/blog/how-at...tor-authentication-and-how-protect-your-users
    https://www.hoxhunt.com/blog/5-ways-to-bypass-two-factor-authentication
     
  9. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    But they don’t
    The malicious actors are just taking that code and entering it into the real website.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    My interpretation too.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sorry guys, I should have been more clear. You guys are correct and perhaps I was being a bit too harsh when I said that Authy is pretty much crap, because as long as you're not tricked into opening a phishing site, then it's a pretty good system. Same goes for hardware tokens like OneSpan DigiPass and RSA SecurID.

    However, I was thinking about authenticator apps based on U2F, which means that it should always check if you're on the legit website, and this can only be done if the website sends a push notification to the Authy app running on smartphone or laptop/desktop. This should even block advanced MITM attacks (link 4) since Authy will see that someone is trying to access your account via some other device. But it's not foolproof either, so USB security keys like YubiKey stay the best option, see second link.

    https://arstechnica.com/information...paign-that-can-hijack-mfa-protected-accounts/
    https://community.spiceworks.com/topic/2352967-making-better-push-based-mfa
    https://security.stackexchange.com/...rotect-against-phishing-mitm-better-than-totp
    https://www.bleepingcomputer.com/ne...s-phishing-actors-to-reverse-proxy-solutions/
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    That's pretty much the heart of the matter it seems. Unfortunately this is the stage where the targeted end user has to take matters at least partly in their own hands, because placing entire faith in some 3rd party security measure is not going to guarantee they will stay safe from phishing attacks.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The thing that bugs me is that I always assumed that MFA was also a pretty good layer against phishing attacks, turns out I was wrong. I have been reading a lot about MFA the last few days, and I must say it's quite confusing, some companies claim they offer unphishable MFA, but it's not clear to me how they achieve this. For example, Duo now offers ''Verified Duo Push'' to make it more resistant to hackers, so I guess this will also stop MITM attacks?

    From what I understood, with YubiKey you always first register it on the correct website, so on the fake website it will simply fail to authenticate you, so I was wondering if this couldn't be applied to apps like Authy as well? But I somehow can't visualize this, but I guess I'm talking about ''passwordless'' push based MFA. Check out the links for more info and on link 4 you will find a matrix that explains the various MFA methods and which ones should protect against phishing.

    https://duo.com/blog/verified-duo-push-makes-mfa-more-secure
    https://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens
    https://pentestingguide.com/how-to-bypass-2fa-and-mfa/
    https://www.hypr.com/passwordless-security-guide/passwordless-login-methods
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That being said, it's still no excuse for a company like Twilio which is in the business of MFA, to get hacked, no matter if this was a low skilled attack or advanced MITM attack. Because you would think they would have implemented extra security layers like anti-phishing software, hardware security keys and device fingerprinting.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, Akamai also claims to offer unphishable MFA, I gues this is how I envisioned Authy would work. You need to have some kind of server security and browser fingerprinting. This way, authenticator apps like Authy would become about as secure as YubiKey's. Although I don't claim that I completely understand it, see link 3 for more info.

    https://www.akamai.com/blog/security/is-mfa-a-security-illusion
    https://www.akamai.com/blog/security/phish-proof-multi-factor-authentication-with-akamai-mfa-blog-3
    https://www.akamai.com/resources/product-brief/akamai-mfa-product-brief
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is the latest update on the Twilio hack, apparently there was another ''voice phishing'' attack earlier this year. But anyway, Twilio has beefed up security by distributing FIDO2 tokens to all employees, not sure if they mean YubiKeys with this.

    https://www.twilio.com/blog/august-2022-social-engineering-attack (scroll down to Investigation Conclusion – October 27, 2022)
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Everything is easy once you fool the user. You cannot look at the problem three quarters of the way in and say SMS/auth apps are easy to bypass. That's only true if the human user actually (willfully) provides information that compromises their account. One could say, if people make a mistake, shouldn't technology prevent them from damage? Perhaps. But I have yet to find a technology that can stop humans from making mistakes. And if one exists, its cost exceeds the benefits of the initial protection it's meant to give.

    This also reminds me of that security guy who got his YT account deleted after being phished. In this case, the problems the way I see them was the fact you could get chat messages with genuine domain suffix, and the YT interface for channel move/merge/whatever is so clunky, it's easy to make a mistake.

    In this regard, for that matter, one could blame Steam for allowing links, but then anything originating from Steam and going out gives you a clear warning that you're leaving Steam. But this is a third party app. Well. Free offers? Well. After that, saying passwords/2fa/whatnot is not safe is a bit off.

    Mrk
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    @Rasheed187, I had another thought - regarding all these different phishing scenarios. Why allow hyperlinks in apps/chats, for instance? Shouldn't we lay blame at software that allows you to click on links that take you to fake sites? If we have these "smart" phones, why don't they alert, using whatever buzzwordy AI/ML heuristic, that one is going to a "wrong" site? After all, sites (with https, which was recently hailed as an important security measure even when unneeded) use the public key and cert idea, but again, this didn't really prevent people "leaking" their own information in the wrong place.

    And we can go back and back, because mistakes happen at some point, and they propagate without control. Is the first mistake allowing links, or even allowing the user to receive messages with a link? I know I'm purposefully sounding dense, but 2fa, fido, whatever are all solutions designed to make security mode robust on top of a permissive model. That's like plugging holes in a sinking boat really.

    Mail clients allow images, you have cookies, remote content (like fonts), whatever, all of these supposedly make our lives easier, but then they create opportunity for misuse, and then we get new tech that tries to mitigate errors that HUMAN USERS MAKE on top of shoddy tech rather than fixing the shoddy tech.

    Phishing mails - don't allow links, simple.
    Phishing sms - don't allow links, simple.

    We can easily fix the problem by removing the convenience elements that were never intended in either of these tech, mail or sms.

    Everything after that is just chance and secondary damage.

    Mrk
     
  20. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    AI/ML on private messages exchanged in free time? No, thanks. And it would be probably illegal to make it mandatory for users in EU.

    Removing links from sms and e-mails? It decreases their usefulness substantially. And you still can convince someone to install some double-purpose remote viewer tool and give privileges i.e. VNC.

    2FA via TOTP codes should increase security substantially, not make it almost the same as 1FA login (login+password). I blame at least partially Twilio platform (and other platforms) that the same one-time code in practice gave all privileges that could be gathered in case of successful phishing on 1FA-only platform. First token should only allow login and seeing information, some basic actions. By all means not changing credentials (sic!) to account. Strictly speaking it is not a problem with TOTP codes, it is a problem with platform.

    One the other hand hardware FIDO tokens effectively make phishing-based attacks to not work at all. You need to invest in a pair of hardware tokens some money, though.
     
  21. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    @reasonablePrivacy, I'm not saying AI/ML on private messages, I'm saying, you get a message with a link, that link alone, when forwarded to the browser, could be analyzed against known "similarities" aka fuzzy search to detect possible phishing. Just an option. I'm actually ridiculing the whole AI/ML thing, because everyone is talking about amazing heuristics, but then people get sent messages that take them to random sites, and your whole operating system/browser obliges dumbly.

    Also, yes, sms/mail without links would be less usable, but when these techs were designed, they were not designed for hyperlinks. We use them "wrongly" today.

    Also, we shouldn't blame these techs for being insecure or people being dumb. We can make things better, but that's neither convenient nor profitable. If you look at it, a lot of companies willingly or unwillingly send mails or messages that look like textbook phishing. How many times you've received genuine messages from your bank, your doctor, whatever, and you thought, what the hell, is this some scam?

    Mrk
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    There is a technology that's pretty bulletproof and those are hardware security keys like the ones offered by Google and Yubico. The point is that these hardware tokens only work on the correct website, so phishing and even advanced MITM attacks won't work.

    I wouldn't want to ban links, just as disabling JS in browsers is not a realistic solution to exploiting browsers. But I do agree that browsers should become a little more smart, you would think they could up with a system that alerts you about possible fake sites. And apparently MS Smartscreen and Google Safe Browsing aren't good enough to protect against phishing.
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hardware keys are not a bulletproof solution as they require a significant tech stack setup and expertise. Imagine normies using those. Not likely. Especially not when your phone "acts" as a hardware key - which is a paradox in the sense that it's a fully capable network device that can be hacked. For that matter, disabling JS is equally usable for most people.

    What I meant by links is that the problem starts much earlier in the chain. As early as wrong medium for right content, i.e., sms for links and alike.

    Mrk
     
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    I don't think engineers at Twilio should be considered normies.

    It is hackable but it is far more resistant against persistence and complete control just because users typically don't run apps as root, and locked bootloader combined with OS im which you are not supposed to install 3rd party drivers. Not to mention secure enclave, Samsung Knox or Apple's hardware protections.
    Last but not least it is second, separate device. I mean event when you would have two same laptop models with same Windows version just different purposes, it is still less likely have both od them infected rather than one of them.
     
    Last edited: Oct 31, 2022
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.