August 19, 2022
Cyberattack On Telecom Giant Exposed Personal Data Of Signal Users: Investigating The Incident Nature
“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users.”
Signal made this announcement this week, acknowledging the leak of users’ phone numbers that followed the cyberattack earlier this month targeting Twilio, a large US-based company that provides programmable communication tools for making phone calls and sending and receiving text messages.
In this post, we will focus on the root that caused the leak rather than the reasons, and go through all the intricacies that are known so far to understand the nature of the data breach.
However, to comprehend what made this attack possible, we must first start with the basics.
So, I suggest we go back to school and repeat the never-aging truths of cybersecurity, and maybe pick up some new ones along the way, what do you say?
Exploiting the Weakest Link for a Break-In
As the following Twilio statements suggest, “Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.”
Again, a sophisticated social engineering attack designed to steal employee credentials.
What is the first thing that comes to your mind when you hear this phrasing?
If you thought of phishing, you were absolutely right.
Phishing is probably the hacker's top option for an initial hit. Why? Because it relies on time-tested and efficient measures to collect sensitive information.
You see, phishing or other types of social engineering cyber-attacks rely on one factor that is deservedly considered the weakest link. This factor you may know as the human factor. Quite simply, the human factor is intentional or inadvertent interaction with a malicious file or link, which can lead to the transfer of confidential information to third parties.
Scammers are well aware of the human factor and use it in the elaboration of their attacks, particularly when creating phishing campaigns.
Now I want you to pay close attention to this pivotal moment, as it runs a thin red line through the entire story.
What Is Phishing and What Makes It Dangerous?
It’s a good time to remember Internet Security lessons. How did yours go?
Here’s a little excursus.
Phishing is a type of social engineering-based attack that leverages an emotional connection to manipulate people, luring their victims into revealing their personal information. Curiosity, fear, urgency, reward, entertainment, and opportunity are the great elements that constitute the very essence of a phishing attack. Each and every one of these is a great motivator that urges an unsuspecting victim to take action.
To give you a better idea of how phishing works, imagine that you are going fishing. What do you need for that? Actually, a few things: a fishing rod, bait, and a reservoir. Then you fish around and wait for the fish to take the bait.
You’d be surprised, but fraudsters do the same thing.
Although the names of the tools applied sound the same, their purpose is different though: the message that is sent to the victim is the bait; the malicious file or a link that the victim clicks on is a fishing hook; the reservoir is the organization. Once the victim is on the hook, i.e., opens the link and enters credentials on a spoofed site or form, fraudsters reel their victim in, and with it all of their personal data.
Thus, the ultimate goal of a phishing scam boils down to deceiving the targeted person into disclosing their login details or compromising their device with malware.
After the target clicks on email links and downloads files, a second assault occurs. Entering credentials into a bogus form would be the first scenario.
The latter, by the way, is exactly what happened to Twilio employees.
So, What On Earth Happened to Signal and Twilio?
In fact, we have already figured out that: Twilio fell prey to a phishing attack. Since Signal uses Twilio services to verify the phone numbers of its users when they sign up, the hack affected them as well.
According to Signal’s appeal, 1,900 users of the secure messaging app had been compromised. This means that cybercriminals could potentially access phone numbers and expose SMS codes to register disclosed accounts on new devices.
Preliminary analysis by the forensics firm hired by Twilio to help with an ongoing investigation revealed that one part of the problem that made the attack possible was a vulnerability in Twilio’s telecommunications system, which is used to send text messages and make phone calls.
But what was the nature of the vulnerability?
Well, we partially answered that question too, when we talked about the weakest link.
According to Twilio’s incident report, “current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including "Twilio," "Okta," and "SSO" to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page.”
To make the story short, a phishing message with a malicious link was sent to employees, requesting them to reset their login credentials. When staff members fell for the ruse, the threat actors used employee credentials to gain access to Twilio’s internal systems and, as a result, Signal’s customer data.
Now you can see what a single indiscretion can do.
But the good news is that we can do more to prevent this and other types of data breaches.
What Can We Do Against Phishing Attacks?
Organizations have been tackling the problem of phishing prevention for a very long time.
The most typical methods used to stop phishing include continual employee training, simulated phishing campaigns, use of specialized technical means for detecting and blocking potentially risky messages, and other cybersecurity awareness initiatives.
On my part, I can give you tips for you to know when it’s time to sound the alarm. Here are just some of them:
- Look cautiously at the phone number or email handle at which you’re getting security-related messages. In case you do not recognize them, contact your IT-Department representative through an alternative communication channel.
- Scams involving "security updates" that urge password changes are common, so you shouldn't believe them until an administrator confirms them in person.
- Beware of links in messages. Do not open them if you have your own good reasons not to trust them.
- Check grammar and formatting. You should use caution when a message has several instances of bad English.
- Consider the signals that begin with the words "important," "urgent," "attention," "payment," or "request" to be malevolent. These are intended to divert your focus away from the real threat.
- Be attentive to details and treat every message you receive with a healthy dose of skepticism.
Fool Me Once, Shame On You; Fool Me Twice, Shame On Me?
This old yet still relevant saying incredibly accurately describes the morality of the given incident.
In closing this post, I would like to offer my perspective on the matter. My point of view is extremely simple: To avoid being either the first or the second person of the saying, learn from other people's mistakes and stay safe.
This lesson is over.
Subscribe to my blog so you don’t miss other interesting cases, and see you in future news.