Twilio and Cisco breaches highlight the dangers of social engineering attacks

No vulnerability is as difficult to address as human error. A small mistake like clicking on a malicious email attachment or a link to a phishing website can start a breach that puts an organization’s reputation at risk. This is something that social engineering scammers are well aware of.

Nowhere has this been more clearly illustrated than the recent Twilio breach. On Thursday, August 4, API communications provider, Twilio, suffered a data breach after employees succumbed to a “sophisticated social engineering attack designed to steal employee credentials.”

During the attack, hackers created an SMS phishing scam (or smishing attempt), which impersonated Twilio’s IT department and warned employees that their passwords had expired or needed to be changed. 

Employees that clicked on the link were taken to a spoofed version of the Twilio sign-in page where the hacker harvested their login credentials, which they later used to access the company’s internal systems and view the data of 125 customers. 

The reality of social engineering 

The attack highlights the effectiveness of social engineering attacks, where hackers attempt to trick employees into giving up personal information via email, SMS, or phone by posing as a trusted individual or organization. 

One of the latest examples of this occurred yesterday when Cisco Talos publicly disclosed a data breach that occurred on May 24, 2022, which the Yanluowang ransomware gang claims resulted in the exfiltration of 2.8GB of data.

In this attack, Yanluowang gained control of an employee’s personal Google account, which was synchronizing login credentials in the user’s browser. 

They also conducted a series of voice phishing attacks impersonating various trusted organizations to mislead employees into accepting multifactor authentication (MFA) push notifications that enabled them to gain access to a VPN, and critical internal systems. 

Both the Twilo and Cisco data breaches highlight that organizations cannot afford to rely on employees to identify increasingly complex social engineering scams. 

“This attack showcases that social engineering remains one of the most effective ways to gain access to an organization and that any organization can be targeted,” said Allie Mellen, senior analyst, security and risk at Forrester. 

“Ultimately, human beings will always be a target for attacks. If you get an email or a text message from what you believe to be a trusted source with an urgent message, it’s easy to click the link without pausing [to check] if it’s a scam,” Mellen said. 

Examining the assumptions of password-based security 

One of the main reasons why attackers are gravitating toward social engineering attacks like phishing scams is that these tools are simple to use and effective at gathering login credentials. 

Research shows that stolen or compromised credentials are responsible for 19% of breaches, while phishing is responsible for 16% of breaches, highlighting that password-based security is largely ineffective at keeping threat actors at bay.  

Likewise, there’s no antivirus or silver bullet that can prevent employees from making a mistake and being manipulated into handing over valuable information.

Although solutions like security awareness training can teach employees how to spot the signs of phishing scams and social engineering, there is a growing need for employees to rethink data access controls. 

With the average organization exposed to 700 social engineering attempts per year, even employees who strictly adhere to security best practices aren’t safe from making mistakes. After all, an attacker only needs to mislead an employee once to successfully harvest their login credentials. 

At the same time, while passwordless authentication solutions developed on the heels of the FIDO alliance will help to eliminate reliance on credentials over the long term, organizations shouldn’t rely on these measures and MFA alone to secure their environments. 

Rethinking data access 

Introducing strict data access controls that enforce the principle of least privilege is key to reducing the level of risk posed by social engineering threats. If employees only have access to the basic information needed to complete their day-to-day responsibilities, they not only put less data at risk, but also become a less compelling target for hackers. 

As Gil Dabah, cofounder and CEO of data privacy infrastructure provider, Piiano explains, “phishing attacks are on the rise. Adequate access control can reduce to the minimum the amount of stolen data that will leak in case of credentials theft.” 

“There are no actual use cases for someone in the organization to browse through big chunks of raw customers’ data: hence, advanced data access control can limit the exposure,” Dabah said. 

In terms of practical recommendations, Dabah says that organizations should look to mask personal information where possible, implementing database access rate limits, and use anomaly detection technology to monitor user access for signs of malicious behavior. 

Focusing on data access controls is not only highly effective for reducing the amount of information that’s available to attackers in a breach scenario, but it also takes some pressure off employees.