Recently, there has been a spate of phishing attacks that are so surgically accurate and well executed that they have managed to fool some of the most conscious people working in the cybersecurity industry. On Monday, Tuesday and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare and network equipment maker Cisco said phishers in possession of employee phone numbers and employee relatives had tricked their employees into revealing their credentials. The phishers were given access to internal systems from Twilio and Cisco. Cloudflare’s hardware-based 2FA keys prevented the phishers from accessing its systems.
The phishers were persistent, methodical, and had clearly done their homework. Within one minute, at least 76 Cloudflare employees received text messages using various schemes to trick them into logging into what they believed to be their work account. The phishing website was using a domain (cloudflare-okta.com) registered 40 minutes before the message was distributed, causing a system Cloudflare uses to be alerted when the domains using its name are being created (presumably because it takes time for new entries to populate). The phishers also had the means to defeat forms of 2FA that rely on one-time passwords generated by authentication apps or sent via text messages.
Creating a sense of urgency
Like Cloudflare, both Twilio and Cisco received text messages or phone calls that were also sent under the assumption that there were urgent circumstances — a sudden change in schedule, an expired password, or a call under the guise of a trusted organization — making that necessary. was the target springs into action quickly.
Wednesday was my turn. At 3:54 PM PT, I received an email purportedly from Twitter saying that my Twitter account had just been verified. I was immediately suspicious because I hadn’t requested verification and didn’t really want to. But the headers showed that the email came from twitter.com, the link (which I opened in Tor on a secure computer) led to the real Twitter.com site, and nothing in the email or linked page. asked me to provide information. I also noticed that a check mark had suddenly appeared on my profile page.
Satisfied that the email was genuine, I noted my surprise on Twitter at 3:55 AM.
Damn it. Twitter just verified my account, even though I steadfastly refused to give them my ID or any other information. I ask myself why.
— Dan Goodin (@dangoodin001) August 10, 2022
Seconds later, at 3:56 AM, I received a direct message purportedly from Twitter’s verification department. It said that to make my verification permanent, I had to respond to the message with my driver’s license, passport, or other government-issued ID.
I have strong feelings about the impropriety of Twitter – a company that has been hacked at least three times and admitted to misusing users’ phone numbers – to ask for this kind of data. I was angry. It was almost the end of my working day. I was still taken aback by Twitter’s unexpected and unadulterated gift of a checkmark I hadn’t asked for. So without reading the DM thoroughly, I tweeted a screenshot of it, along with a cynical comment that Twitter was not trustworthy.
I spoke too fast. Sorry, @twitteryou can’t be trusted. Go ahead and remove the blue check mark. You don’t just get my ID so you can get hacked again or use it for marketing purposes. pic.twitter.com/dimLCLagdU
— Dan Goodin (@dangoodin001) August 10, 2022
The point is that the DM used broken English; the user handle was called Support, followed by some numbers; the account was blocked. The DM is a textbook example of a phish, with all the hallmarks of a scam. So why was my first impression that this post was real? There are a few reasons.