• Daily Illinois
  • About
  • Contact
  • Privacy
  • Terms
  • DMCA
  • Sitemap
  • Write For Us
Thursday, February 2, 2023
Daily illinois - USA | News, Sports & Updates Web Magazine
  • Covid-19
  • News
    • All
    • Business
    • Education
    • Politics
    • Sports
    • World
    Incorporate effective visual aids.

    Tips for Making a Custom Presentation 02/01

    A Guide to Quick Loans

    Speedy Solutions: A Guide to Quick Loans

    Benefits of SEN in education

    Benefits of SEN in education — why children need it

    Environmentally Friendly Cryptocurrencies

    The Best Sustanable & Environmentally Friendly Cryptocurrencies 2022

    Build Brand awareness via Organic Social Media

    Build Brand awareness via Organic Social Media

    Digital Marketing Internship Program

    Things To Know Before Joining Digital Marketing Internship Program

    How to save your kids from high school nudity

    How To Save Your Kids From High School Nudity

    Social recruiting for B2B companies

    Social Recruiting for B2B Companies

    Data Protection in the Employment Contract

    Data Protection in the Employment Contract

    motivate colleagues

    How Can You Motivate Colleagues?

  • Science & Tech
    • All
    • Ai - Artificial Intelligence
    • Apps
    • Mobile
    What is the Structure of a Mobile App

    What is the Structure of a Mobile App?

    Limit the Damage in an Emergency

    Logging strategy: Limit the Damage in an Emergency

    Dev Ops Future And Free Platform To Learn

    Dev Ops Future And Free Platform To Learn

    Does discord notify you when you leave a group chat?

    Does discord notify you when you leave a group chat?

    Redirects and Benefits of it

    What Are Redirects And Benefits Of It

    Data Protection Officer Tasks

    Data Protection Officer Tasks

    How to Get a Tinder Refund in Less Than Two Minutes

    How to Get a Tinder Refund in Less Than Two Minutes

    How To Send Pictures on Tinder

    How To Send Pictures on Tinder

    How To Change Age on Tinder

    How To Change Age on Tinder

    What is Automated Processing

    What is Automated Processing?

  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    See a show on Broadway

    Ideas For Your Bucket List In 2023

    CBD DISPOSABLE VAPE PEN 1000MG

    CBD DISPOSABLE VAPE PEN 1000MG

    What Are The Benefits Of Using HWID Spoofer For Valorant

    What Are The Benefits Of Using HWID Spoofer For Valorant?

    Game studios are shelving play-to-earn games

    Game studios are shelving play-to-earn games

    Battle Infinity

    4,400% return! This coin could still increase its price a hundredfold

    Christine Settingsgaard sits in her yard on Wednesday, Sept 14, 2022, in Barrington. Settingsgaard was lured into sophisticated financial scam this summer via a man she met on Hinge, and “lost everything.”

    The case of the vanishing deposit – Chicago Tribune

    NFL Week 4 takeaways – Lessons, big questions for every game

    Live: Miley Cyrus, Def Leppard join Taylor Hawkins tribute

    Live: Miley Cyrus, Def Leppard join Taylor Hawkins tribute

    'Catherine Called Birdy' review: Lena Dunham's instant teen classic

    ‘Catherine Called Birdy’ review: Lena Dunham’s instant teen classic

    Home Depot Skeleton Alternatives

    Home Depot Skeleton Alternatives

    • F95zone
  • Lifestyle
    • All
    • Fashion
    • Food
    • Travel
    New Trendy Bodysuit Outfit Ideas 2023

    New Trendy Bodysuit Outfit Ideas 2023

    How Do You Style A Simple Top

    How Do You Style Your Simple Tops?

    Great Ocean Road

    6 Things you can Experience along the Great Ocean Road

    So You Want to Be a Chef Here’s What You Need to Know

    So You Want to Be a Chef? Here’s What You Need to Know

    waterdrop reverse osmosis water filter

    Your Comprehensive Guide To The Tankless Reverse Osmosis System

    Best vegan gift ideas for every budget

    Best vegan gift ideas for every budget

    Things You Should Consider When Traveling

    Things You Should Consider When Traveling

    The complete guide for buying Water Purifiers

    The complete guide for buying Water Purifiers

    The Most Techy Smartwatches in 2022

    The Most Techy Smartwatches in 2022

    Personal Grooming Tips for Women to look well groomed

    Personal Grooming Tips for Women to look well groomed

33 °f
Chicago
35 ° Sat
35 ° Sun
35 ° Mon
37 ° Tue
No Result
View All Result
Daily illinois - USA | News, Sports & Updates Web Magazine
  • Covid-19
  • News
    • All
    • Business
    • Education
    • Politics
    • Sports
    • World
    Incorporate effective visual aids.

    Tips for Making a Custom Presentation 02/01

    A Guide to Quick Loans

    Speedy Solutions: A Guide to Quick Loans

    Benefits of SEN in education

    Benefits of SEN in education — why children need it

    Environmentally Friendly Cryptocurrencies

    The Best Sustanable & Environmentally Friendly Cryptocurrencies 2022

    Build Brand awareness via Organic Social Media

    Build Brand awareness via Organic Social Media

    Digital Marketing Internship Program

    Things To Know Before Joining Digital Marketing Internship Program

    How to save your kids from high school nudity

    How To Save Your Kids From High School Nudity

    Social recruiting for B2B companies

    Social Recruiting for B2B Companies

    Data Protection in the Employment Contract

    Data Protection in the Employment Contract

    motivate colleagues

    How Can You Motivate Colleagues?

  • Science & Tech
    • All
    • Ai - Artificial Intelligence
    • Apps
    • Mobile
    What is the Structure of a Mobile App

    What is the Structure of a Mobile App?

    Limit the Damage in an Emergency

    Logging strategy: Limit the Damage in an Emergency

    Dev Ops Future And Free Platform To Learn

    Dev Ops Future And Free Platform To Learn

    Does discord notify you when you leave a group chat?

    Does discord notify you when you leave a group chat?

    Redirects and Benefits of it

    What Are Redirects And Benefits Of It

    Data Protection Officer Tasks

    Data Protection Officer Tasks

    How to Get a Tinder Refund in Less Than Two Minutes

    How to Get a Tinder Refund in Less Than Two Minutes

    How To Send Pictures on Tinder

    How To Send Pictures on Tinder

    How To Change Age on Tinder

    How To Change Age on Tinder

    What is Automated Processing

    What is Automated Processing?

  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    See a show on Broadway

    Ideas For Your Bucket List In 2023

    CBD DISPOSABLE VAPE PEN 1000MG

    CBD DISPOSABLE VAPE PEN 1000MG

    What Are The Benefits Of Using HWID Spoofer For Valorant

    What Are The Benefits Of Using HWID Spoofer For Valorant?

    Game studios are shelving play-to-earn games

    Game studios are shelving play-to-earn games

    Battle Infinity

    4,400% return! This coin could still increase its price a hundredfold

    Christine Settingsgaard sits in her yard on Wednesday, Sept 14, 2022, in Barrington. Settingsgaard was lured into sophisticated financial scam this summer via a man she met on Hinge, and “lost everything.”

    The case of the vanishing deposit – Chicago Tribune

    NFL Week 4 takeaways – Lessons, big questions for every game

    Live: Miley Cyrus, Def Leppard join Taylor Hawkins tribute

    Live: Miley Cyrus, Def Leppard join Taylor Hawkins tribute

    'Catherine Called Birdy' review: Lena Dunham's instant teen classic

    ‘Catherine Called Birdy’ review: Lena Dunham’s instant teen classic

    Home Depot Skeleton Alternatives

    Home Depot Skeleton Alternatives

    • F95zone
  • Lifestyle
    • All
    • Fashion
    • Food
    • Travel
    New Trendy Bodysuit Outfit Ideas 2023

    New Trendy Bodysuit Outfit Ideas 2023

    How Do You Style A Simple Top

    How Do You Style Your Simple Tops?

    Great Ocean Road

    6 Things you can Experience along the Great Ocean Road

    So You Want to Be a Chef Here’s What You Need to Know

    So You Want to Be a Chef? Here’s What You Need to Know

    waterdrop reverse osmosis water filter

    Your Comprehensive Guide To The Tankless Reverse Osmosis System

    Best vegan gift ideas for every budget

    Best vegan gift ideas for every budget

    Things You Should Consider When Traveling

    Things You Should Consider When Traveling

    The complete guide for buying Water Purifiers

    The complete guide for buying Water Purifiers

    The Most Techy Smartwatches in 2022

    The Most Techy Smartwatches in 2022

    Personal Grooming Tips for Women to look well groomed

    Personal Grooming Tips for Women to look well groomed

33 °f
Chicago
35 ° Sat
35 ° Sun
35 ° Mon
37 ° Tue
No Result
View All Result
Daily illinois - USA | News, Sports & Updates Web Magazine
No Result
View All Result
Home Science & Tech

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

by Staff Writer
December 5, 2022
in Science & Tech
Reading Time: 4 mins read
0
Phishers who breached Twilio and fooled Cloudflare could easily get you, too
494
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees’ family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company’s internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Related posts

What is the Structure of a Mobile App

What is the Structure of a Mobile App?

January 24, 2023
Limit the Damage in an Emergency

Logging strategy: Limit the Damage in an Emergency

December 3, 2022

Two days after Twilio’s disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

Well-organized, sophisticated, methodical

In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee’s schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.

Cloudflare

Twilio

The threat actor carried out its attack with almost surgical precision. When the attacks on Cloudflare, at least 76 employees received a message in the first minute. The messages came from a variety of phone numbers belonging to T-Mobile. The domain used in the attack had been registered only 40 minutes prior, thwarting the domain protection Cloudflare uses to ferret out impostor sites.

Advertisement

“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated, and methodical in their actions,” Twilio wrote. “We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts. Socially engineered attacks are—by their very nature—complex, advanced, and built to challenge even the most advanced defenses.”

Matthew Prince, Daniel Stinson-Diess, Sourov Zaman—Cloudflare’s CEO, senior security engineer and incident response leader respectively—had a similar take.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” they wrote. “Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.”

Twilio and Cloudflare said they don’t know how the phishers obtained employee numbers.

It’s impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company’s use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.

The Cloudflare officials explained:

When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

Cloudflare

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.

Cloudflare went on to say it wasn’t disciplining the employees who fell for the scam and explained why.

Advertisement

“Having a paranoid but blame-free culture is critical for security,” the officials wrote. “The three employees who fell for the phishing scam were not reprimanded. We’re all human and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up.”

Source by arstechnica.com

Related

Share198Tweet124Share49
Previous Post

15 Best Backpacks on Amazon for College and High School

Next Post

From Bama Rush Tiktok to Hot Girl Summer, how the internet creates seasons

Next Post
From Bama Rush Tiktok to Hot Girl Summer, how the internet creates seasons

From Bama Rush Tiktok to Hot Girl Summer, how the internet creates seasons

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News - Daily illinois

Incorporate effective visual aids.

Tips for Making a Custom Presentation 02/01

February 2, 2023
New Trendy Bodysuit Outfit Ideas 2023

New Trendy Bodysuit Outfit Ideas 2023

January 31, 2023
A Guide to Quick Loans

Speedy Solutions: A Guide to Quick Loans

January 31, 2023
What is the Structure of a Mobile App

What is the Structure of a Mobile App?

January 24, 2023
Benefits of SEN in education

Benefits of SEN in education — why children need it

January 19, 2023
How Do You Style A Simple Top

How Do You Style Your Simple Tops?

December 28, 2022
What is a dress that goes straight down

What Is A Dress That Goes Straight Down

January 18, 2023
ULTRA-RELIEF CBD GEL 1000MG

ULTRA-RELIEF CBD GEL 1000MG

December 28, 2022
Daily illinois - USA | News, Sports & Updates Web Magazine

Copyright © 2020 Dailyillinois.com.

Navigate Site

  • Daily Illinois
  • About
  • Contact
  • Privacy
  • Terms
  • DMCA
  • Sitemap
  • Write For Us

Follow Us

No Result
View All Result
  • About Us Page
  • Contact
  • Daily illinois
  • DMCA Policy
  • Privacy Policy
  • Submit, Guest Post, Write For Us and Become a Contributor
  • Terms of Use

Copyright © 2020 Dailyillinois.com.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.