There has been a recent flurry of phishing attacks so surgically precise and well-executed that they’ve managed to fool some of the most aware people working in the cybersecurity industry. On Monday, Tuesday, and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare, and network equipment maker Cisco said phishers in possession of phone numbers belonging to employees and employee family members had tricked their employees into revealing their credentials. The phishers gained access to internal systems of Twilio and Cisco. Cloudflare’s hardware-based 2FA keys prevented the phishers from accessing its systems.
The phishers were persistent, methodical and had clearly done their homework. In one minute, at least 76 Cloudflare employees received text messages that used various ruses to trick them into logging into what they believed was their work account. The phishing website used a domain (cloudflare-okta.com) that had been registered 40 minutes before the message flurry, thwarting a system Cloudflare uses to be alerted when the domains using its name are created (presumably because it takes time for new entries to populate). The phishers also had the means to defeat forms of 2FA that rely on one-time passwords generated by authenticator apps or sent through text messages.
Creating a sense of urgency
Like Cloudflare, both Twilio and Cisco received text messages or phone calls that were also sent under the premise that there were urgent circumstances—a sudden change in a schedule, a password expiring, or a call under the guise of a trusted organization—necessitating that the target takes action quickly.
On Wednesday, it was my turn. At 3:54 pm PT, I received an email purporting to be from Twitter, informing me my Twitter account had just been verified. I was immediately suspicious because I hadn’t applied for verification and didn’t really want to. But the headers showed that the email originated from twitter.com, the link (which I opened in Tor on a secure machine) led to the real Twitter.com site, and nothing in the email or linked page asked me to provide any information. I also noticed that a checkmark had suddenly appeared on my profile page.
Satisfied the email was genuine, I noted my surprise on Twitter at 3:55.
What the hell. Twitter just verified my account, even though I have steadfastly refused to give them my ID or any other info. I wonder why.
— Dan Goodin (@dangoodin001) August 10, 2022
Seconds later, at 3:56, I received a direct message purporting to come from Twitter’s verification department. It said that for my verification to become permanent, I needed to respond to the message with either my driver’s license, passport, or other government-issued ID.
I have strong feelings about the inappropriateness of Twitter—a company that has been hacked at least three times and admitted to misusing user phone numbers—asking for this kind of data. I was mad. It was near the end of my workday. I was still surprised at the unexpected and unfaked gifting by Twitter of a checkmark I hadn’t asked for. So without thoroughly reading the DM, I tweeted a screenshot of it, along with a cynical comment about Twitter not being trustworthy.
I spoke too soon. Sorry, @twitter, you’re not trustworthy. Go ahead and remove the blue checkmark. You’re not getting my ID only so you can get hacked again or use it for marketing purposes. pic.twitter.com/dimLCLagdU
— Dan Goodin (@dangoodin001) August 10, 2022
The thing is, the DM used broken English; the user handle was named Support, followed by a bunch of numbers; the account was locked. The DM is a textbook example of a phish, with all the hallmarks of a scam. So why was my first impression that this message was genuine? There are a few reasons.