24 May 2024

Should I trust an SMS? What you can learn from the Twilio compromise

In the month of August, Twilio, a large communications company was breached via a targeted and sophisticated SMS-phishing (smishing) campaign.

Twilio have a range of products that enable organisations to communicate with their clients. However, most notably they own a platform called Authy - a service used by organisations to maintain and manage their own multi-factor authentication approach.

No!

Smishing is not a new technique, but it can be extremely effective. Text messages/SMS messages do not have any of the security controls that we usually see with email inboxes. By sending an SMS to a phone, an attacker bypasses all the layers of communication security that would usually protect the user. For example, modern mail security includes reputation checking, re-writing of links, re-writing of attachments, and malicious intent inspection. A mobile device has none of these protections.

At protocol level SMS is flawed too, with name spoofing, an attacker can send an SMS to anyone pretending to be anyone. For example, using APIs commonly used for marketing purposes, it is possible for an attacker to send a message to any mobile phone number with the SMS appearing to originate from any sender such as Dominos, HMRC, or something as close as a family member, i.e., mum.

What can organisations do to prevent this type of attack:

  • Assume you will get breached and plan for it and practice it - A well defined and practiced playbook can lead to an attacker getting caught quicker, making it less likely that an attacker can gain persistent access
  • Teach your colleagues that information in an SMS should be taken with a large grain of salt. If you are expecting an SMS to verify a purchase that is one thing, but if you are not expecting an SMS and it encourages you to click a link, encourage users to delete it, or ignore it.
  • Use brand reputation serviceswhich identifies whether a domain has been registered with your company name within.
  • Perform social engineering assessments on your colleagues, specifically around SMS.

The chances of the attack group just targeting Twilio is very slim, this could be the beginning of a handful of breaches as a result of this TTP used with such as sophisticated nature at this scale.

penetration-testing