Twilio smished – SMS is the new achilles heel

Twilio was recently compromised after a couple of employees handed over their credentials to an attacker. 

The unsuspecting employees were targeted by a Smishing attack in which they received a text message on their phone saying their passwords had expired and they needed to re-authenticate. A useful link was provided which took the employees to a spoofed page into which they entered their credentials. 

I’d say that Smishing is the shiny hotness for criminals, even though the cost of an SMS may be more than sending an email the benefits to a criminal are:

1. No pesky email gateway or other perimeter control to stop the delivery

2. No endpoint protection or EDR that will alert the phone user

3. Harder to verify source and link of an sms 

4. Many phones are personal devices so no visibility to IT and always accessible, even on vacation

5. People more likely to be multitasking when on their phone (washing dishes, having lunch, waiting for their Uber etc) so aren’t fully concentrating on the task at hand. 

All of this collectively means there’s a higher likelihood of success. 

What can we do about this? A few things come to mind .

Don’t use SMS to communicate with employees. Use an internal corporate channel. Let your staff know that you will never send them an SMS to change passwords or other links. 

Provide a method for people to report suspicious SMS. If one employee is being targeted, there’s a high likelihood others are too. So by reporting, the security teams can notify staff, block any sites, and monitor for suspicious logins. {As a side note in the UK you can report smishing to NCSC by forwarding the text to 7726}

Finally, organisations should ensure relevant and timely security awareness and training is provided to all employees so that they can identify and report any suspected smishing attacks. Or even better is to just plain refuse to communicate outside of corporate channels. 

And let’s not even get into SMS based two-step authentication 😀