Cloudflare: Someone tried to pull the Twilio phishing tactic on us too

2022-08-10 14:23

Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services.

According to Cloudflare, it recorded a very similar incident late last month, which could suggest the two attacks may have originated from the same attacker or group.

Cloudflare has systems to watch for domains being registered with its name and get them shut down, but in this case the domain had been registered less than 40 minutes before the phishing messages were sent, and so it had not yet been detected.

As with the Twilio incident, the fake Cloudflare Okta login page prompted any employee who visited it for their username and password.

Alerted by their employees contacting SIRT, Cloudflare was able to analyze the payload of the phishing attack based on the message employees received, as well as what was posted to services like VirusTotal by other companies that had been victims of similar attacks.

The reason for doing this was because the phishing page would also prompt for a Time-based One Time Password code, according to Cloudflare, and it would be necessary for the attacker to attempt to login using the code before it expired.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/10/cloudflare_twilio_phishing/

#cloudflare #phishing #twilio #US