Catches of the Month: Phishing Scams for September 2022

Welcome to our September 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.

This month, we look at an ongoing phishing campaign targeting online service providers, and delve into a sophisticated scam that has caught out Facebook Business/Ads users.

Twilio breach demonstrates the threat of SMS scams

Most phishing scams that we discuss in this feature are conducted via email – and for good reason; email is by far the most common form of attack, However, it’s not the only way that scammers can target people.

According to Proofpoint’s 2022 State of the Phish report, employees at 74% of organisations were sent fraudulent text messages (known as ‘smishing’), and the same percentage were targeted on social media.

It’s easy to overlook these threats, but you wouldn’t expect such negligence from Twilio, a tech giant that specialises in text message notification services.

The San Francisco-based organisation fell victim to a scam last month, after criminal hackers masqueraded as the IT service management firm Okta (which, coincidentally, got caught out by a scam just like this in March).

Dozens of Twilio employees were sent text messages telling them that they were required to log back into their accounts because their previous session had expired. 

The SMS contained a link to a login page that faithfully recreated Okta’s legitimate site. At least one employee fell for the scam, handing over their credentials.

Twilio provided an example of one of the fraudulent text messages.

The security breach was discovered four days later, on 8 August, by which time the fraudsters had been able to exfiltrate vast amounts of sensitive information. 

According to Twilio’s statement, the scammers had access to customers’ physical and IP addresses, payment card details, proof of identity and email addresses. 

The organisation added that it was working with US mobile phone providers “to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down”. 

It added that “the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.” 

The consequences of the Okta attack

Twilio wasn’t the only organisation caught out by this scam. A Bleeping Computer report found that the perpetrators compromised over 130 organisations in the phishing campaign.

The hackers used an off-the-shelf software in a widespread campaign that has been dubbed ‘oktapus’. The operation has been ongoing since at least March 2022 and has ensnared several high-profile targets.

In addition to Twilio, the criminals also compromised MailChimp and Klaviyo, and their attacks led to supply-chain breaches at customers that used those services, such as Signal and Digital Ocean.

The attackers also targeted the Internet service giant Cloudflare, but the organisation was able to suppress the attack due to robust security measures.

Writing on Cloudflare’s blog, CEO Matthew Prince and engineers Daniel Stinson-Diess and Sourov Zaman said that at least 76 employees were targeted and three were duped into clicking the bogus link.

Cloudflare employees received a similar message.

The organisation blocked the domain from which the message originated using Cloudflare Gateway, before identifying all affected employees and resetting compromised credentials.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would likely be breached,” Cloudflare wrote.

Facebook Business/Ads users warned of sophisticated scam

Reports emerged last month that Facebook Business/Ads users are being targeted in a malware campaign.

Security researchers at WithSecure discovered a series of phishing attacks that were stealing browser cookies to take advantage of authenticated Facebook sessions. The criminal hackers then stole information from users’ accounts and hijacked any Facebook Business account that the victim had access to.

The scam, which has been dubbed Ducktail, targets people in managerial, digital marketing, digital media and human resources roles.

The attack begins with the fraudsters identifying potential Facebook Business/Ads users on LinkedIn, and sending them a message inviting them to open an attachment.

However, the attachment contains malicious software that extracts stored Facebook session cookies for each browser that it finds.

It then “directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”

The criminals can then give themselves Admin and Finance editor access, enabling them to edit settings, people, accounts and tools. They can also edit credit card information and financial details such as transactions, invoices, account spend and payment methods.

Social media is, more than ever, proving to be a goldmine for cyber criminals. As one of the most popular social networks, Facebook is inevitably a frequent target.

It doesn’t help that the site collects vast amounts of sensitive data and is used for both personal and business purposes. As such, there are countless scams that cyber criminals can pull off.

Cyber security researchers are also increasingly seeing criminal hackers leverage information from multiple social media sites to conduct sophisticated scams.

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.