© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Cloudflare targeted by a sophisticated phishing attack

Scammers fooled Cloudflare's employees into entering their credentials into a phishing page. Attackers tried to log in, but the company successfully thwarted the attack.

Around the same time as a phishing attack targeted Twilio, Cloudflare saw a similar attempt to fool the company's employees. Cloudflare said individual employees fell for it.

"This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached," Cloudflare said.

On July 20, over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Even some employees' family members were targeted.

"Alert!! Your Cloudflare schedule has been updated, Please tap coudflare-okta.com [malicious link] to view your changes," the text messages received by employees read.

Phishing attempt Cloudflare

Cloudflare hasn't yet determined how the attacker assembled the list of employees' phone numbers but reviewed access logs and found no sign of compromise.

Phishing messages came from four phone numbers associated with T-Mobile-issued SIM cards and pointed to an official-looking phishing domain registered less than 40 minutes before the phishing campaign began.

Cloudflare uses Okta as its identity provider. The phishing page was designed to look identical to a legitimate Okta login page and prompted visitors to enter their username and password.

"We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. [...] Every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey," Cloudflare said. "Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement."

Twilio data breach

Phishers fooled some Twilio employees into providing their credentials and then used them to gain access to the company's internal systems.

"More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls," Twilio said.

Criminals impersonated Twilio's sign-in page by using words like Twilio, Okta, and SSO in the URLs.

"The text messages originated from US carrier networks. We worked with the US carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down," Twilio said.

Twilio security team revoked access to the compromised employee accounts to mitigate the attack.

"As the threat actors were able to access a limited number of accounts' data, we have been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack," the company concluded.

More from Cybernews:

Phishing scams explained

How phishing attacks are evolving and why you should care

Eight popular phishing scams users should be aware of

Google mimicked in email phishing scam

PayPal accounts used in phishing scam

Phishing campaign targets Coinbase wallet holders

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked