Massive Phishing Campaign targeting over 130 companies, affecting Twilio & Signal

Twilio, DoorDash, and Cloudflare, with over 130 organizations, have been potentially compromised by hackers as the region of a months-long phishing campaign nicknamed “0ktapus” by security researchers.

Login credentials belonging to almost 10,000 individuals were stolen by attackers who imitated the famous single sign-on service Okta, according to a statement from cybersecurity firm Group-IB.

As Group-IB details, the attackers used that access to pivot and attack accounts across other services. For example, on August 15, the secure messaging service Signal cautioned users that the attackers’ Twilio breach permitted them to reveal as many as 1,900 Signal accounts and demonstrated they were able to register new gadgets to the accounts of a few. In addition, it would permit the attackers to send and receive from that account.

Twilio also updated its breach notification this week, noting that 163 customers had their data accessed. It also stated that 93 users of Authy, its cloud service for multifactor authentication, had their accounts accessed and additional devices registered. DoorDash, Best Buy, and AT&T were also targeted.

Targets of the phishing drive were sent text messages that redirected them to a phishing zone. The statement from Group-IB states, “From the victim’s point of view, the phishing site darts quite convincing as it is very comparable to the authentication page they are used to visiting.” Victims were questioned for their username, password, and two-factor authentication code. This data was then sent to the attackers.

Group-IB’s analysis indicates that the attackers were somewhat gullible. “The analysis of the phishing kit announced that it was poorly configured and the way it had been developed delivered an ability to extract stolen credentials for further study,” Roberto Martinez, a senior threat intelligence critic at Group-IB, told TechCrunch.

The scale of the attack is massive, with Group-IB detecting 169 unique domains targeted by the campaign. It’s believed that the 0ktapus campaign began around March 2022 and that around 9,931 login credentials have been stolen so far. Additionally, the attackers have spread their net wide, targeting multiple industries, including finance, gaming, and telecoms. Domains cited by Group-IB as targets include Verizon Wireless, Coinbase, Microsoft, Twitter, AT&T, Best Buy, Riot Games, T-Mobile, and Epic Games.

Cash seems to be at least one of the motives for the attacks, with researchers stating, “Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Furthermore, some targeted companies provide access to crypto assets and markets, while others develop investment tools.”

Group-IB warns that we likely won’t understand the full scale of this attack for some time. However, to guard against similar attacks like this, Group-IB offers the usual advice: always be sure to check the URL of any site where you’re entering login details; treat URLs received from unknown sources with suspicion; and for added protection, you can use an “unphishable” two-factor security keys, such as a YubiKey.

This recent string of phishing attacks is one of the most impressive campaigns of this scale to date. The report concludes that “Oktapus shows how vulnerable modern institutions are to some basic social engineering aggression and how far-reaching the effects of such incidents can be for their associates and customers.”

The scale of these threats isn’t likely to decrease soon, either. Research from Zscaler shows that phishing attacks increased by 29 percent globally in 2021 compared to the previous year and notes that SMS phishing, in particular, is expanding faster than other kinds of scams as people have started to recognize fraudulent emails better. Socially engineered scams and hacks were also seen rising during the COVID-19 pandemic. Earlier this year, we even saw that both Apple and Meta shared data with hackers pretending to be law enforcement officials.

Twilio, an American company based in San Francisco, California, delivers programmable communication tools for making and sending texts, accepting phone calls, receiving text messages, and conducting other communication functions using its web service APIs.

Twilio was established in 2008 by Evan Cooke, Jeff Lawson, and John Wolthuis and was initially based in Seattle, Washington, and San Francisco, California.

Twilio’s first significant press coverage, in November 2008, resulted from an application built by Jeff Lawson to rickroll individuals, which investor Dave McClure used on TechCrunch founder and editor Michael Arrington as a gag. A few days later, the company established Twilio Voice, an API to make and receive phone calls hosted in the cloud. Twilio’s text messaging API was unleashed in February 2010, and SMS shortcodes were released in public beta in July 2011.

Twilio filed for IPO and started trading on June 23, 2016, with a 92% increase on the first day. In March 2020, Twilio revealed the appointment of Glenn Weinstein as Chief Customer Officer and Steve Pugh as Chief Security Officer.

On August 4, 2022, an unknown attacker accessed Twilio’s internal network through an SMS phishing drive targeting Twilio’s employees. Twilio verified the breach three days later, clarifying that it simulated only “a limited number” of customer accounts. On August 15, Signal announced that the breach had affected it, indicating that the 125 customers affected included at least some enterprise accounts.