Connect with us

Tech

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Published

on

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

PHISHERS OF MEN —

Unusually resourced threat actor has targeted multiple companies in recent days.


Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Getty Images

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees’ family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company’s internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio’s disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

Well-organized, sophisticated, methodical

In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee’s schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.

Cloudflare

Twilio

The threat actor carried out its attack with almost surgical precision. When the attacks on Cloudflare, at least 76 employees received a message in the first minute. The messages came from a variety of phone numbers belonging to T-Mobile. The domain used in the attack had been registered only 40 minutes prior, thwarting the domain protection Cloudflare uses to ferret out impostor sites.

“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated, and methodical in their actions,” Twilio wrote. “We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts. Socially engineered attacks are—by their very nature—complex, advanced, and built to challenge even the most advanced defenses.”

Matthew Prince, Daniel Stinson-Diess, Sourov Zaman—Cloudflare’s CEO, senior security engineer and incident response leader respectively—had a similar take.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” they wrote. “Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.”

Twilio and Cloudflare said they don’t know how the phishers obtained employee numbers.

It’s impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company’s use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.

The Cloudflare officials explained:

When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

Cloudflare

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.

Cloudflare went on to say it wasn’t disciplining the employees who fell for the scam and explained why.

“Having a paranoid but blame-free culture is critical for security,” the officials wrote. “The three employees who fell for the phishing scam were not reprimanded. We’re all human and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up.”

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Tech

Nothing announces official launch date for new Ear (stick) AirPods alternatives

Published

on

By

Nothing announces official launch date for new Ear (stick) AirPods alternatives
Nothing Ear (stick) held by a model on white background



(Image credit: Nothing )

True to form, Nothing has just announced the full reveal date for its upcoming audio product, Ear (stick). 

So, an announcement about an announcement. You’ve got to hand it to Carl Pei’s marketing department, they never miss a trick.

What we’re saying is that although we still have ‘nothing’ conclusive about the features, pricing or release date for the Ear (stick) except an image of another model holding them (and we’ve seen plenty of those traipsing down the catwalk recently), we do have a date – the day when we’ll be granted official access to this information. 

That day is October 26. Nothing assures us that on this day we’ll be able to find out everything, including pricing and product specifications, during the online Ear (stick) Reveal, at 3PM BST (which is 10AM ET, or 1AM on Wednesday if you’re in Sydney, Australia) on nothing.tech (opens in new tab)

Any further information? A little. Nothing calls the Ear (stick), which is now the product’s official name, “the next generation of Nothing sound technology”, and its “most advanced audio product yet”. 

But that’s not all! Apparently, Ear (stick) are “half in-ear true wireless earbuds that balance supreme comfort with exceptional sound, made not to be felt when in use. They’re feather-light with an ergonomic design that’s moulded to your ears. Delivered in a unique charging case, inspired by classic cosmetic silhouettes, and compactly formed to simply glide into pockets.” 

Opinion: I need more than a lipstick-style case

Nothing Ear (stick) – official leaked renders pic.twitter.com/FrhKmRttmiOctober 1, 2022

See more

It’s no secret that I want Nothing’s earbuds to succeed in world dominated by AirPods; who doesn’t love a plucky, eccentric underdog? 

But in order to become some of the best true wireless earbuds on the market, there is room for improvement over the Nothing Ear 1, the company’s inaugural earbuds. 

Aside from this official ‘news’ from Nothing, leaked images and videos of the Ear (stick) have been springing up all over the internet (thank you, developer Kuba Wojciechowski) and they depict earbuds that look largely unchanged, which is a shame. 

For me, the focus needs to shift from gimmicks such as a cylindrical case with a red section at the end which twists up like a lipstick. Don’t get me wrong, I love a bit of theater, but only if the sound coming from the earbuds themselves is top dog. 

As the natural companions for the Nothing Phone 1, it makes sense for the Ear (stick) to take a place similar to that of Apple’s AirPods 3, where the flagship Ear (1) sit alongside the AirPods Pro 2 as a flagship offering. 

See, that lipstick case shape likely will not support wireless charging. That and the rumored lack of ANC means the Ear (stick) is probably arriving as the more affordable option in Nothing’s ouevre. 

For now, we sit tight until October 26. 

Becky is a senior staff writer at TechRadar (which she has been assured refers to expertise rather than age) focusing on all things audio. Before joining the team, she spent three years at What Hi-Fi? testing and reviewing everything from wallet-friendly wireless earbuds to huge high-end sound systems. Prior to gaining her MA in Journalism in 2018, Becky freelanced as an arts critic alongside a 22-year career as a professional dancer and aerialist – any love of dance starts with a love of music. Becky has previously contributed to Stuff, FourFourTwo and The Stage. When not writing, she can still be found throwing shapes in a dance studio, these days with varying degrees of success.  

Read More

Continue Reading

Tech

YouTube could make 4K videos exclusive to Premium subscribers

Published

on

By

YouTube could make 4K videos exclusive to Premium subscribers
Woman watching YouTube on mobile phone screen



(Image credit: Shutterstock / Kicking Studio)

You might soon have to buy YouTube Premium to watch 4K YouTube videos, a new user test suggests.

According to a Reddit thread (opens in new tab) highlighted on Twitter by leaker Alvin (opens in new tab), several non-Premium YouTube users have reported seeing 4K resolution (and higher) video options limited to YouTube Premium subscribers on their iOS devices. For these individuals, videos are currently only available to stream in up to 1440p (QHD) resolution.

The apparent experiment only seems to be affecting a handful of YouTube users for now, but it suggests owner Google is toying with the idea of implementing a site-wide paywall for access to high-quality video in the future.

So, after testing up to 12 ads on YouTube for non-Premium users, now some users reported that they also have to get a Premium account just to watch videos in 4K. pic.twitter.com/jJodoAxeDpOctober 1, 2022

See more

It’s no secret that Google has been searching for new ways to monetize its YouTube platform in recent months. In September, the company introduced five unskippable ads for some YouTube users as part of a separate test – an unexpected development that, naturally, didn’t go down well with much of the YouTube community. 

A resolution paywall seems a more palatable approach from Google. While annoying, the change isn’t likely to provoke the same level of ire from non-paying YouTube users as excessive ads, given that many smartphones still max out at QHD resolution anyway. 

Of course, if it encourages those who do care about high-resolution viewing to invest in the platform’s Premium subscription package, it may also be more lucrative for Google. After all, YouTube Premium, which offers ad-free viewing, background playback and the ability to download videos for offline use, currently costs $11.99 / £11.99 / AU$14.99 per month.

Suffice to say, the subscription service hasn’t taken off in quite the way Google would’ve hoped since its launch in 2014. Only around 50 million users are currently signed up to YouTube Premium, while something close to 2 billion people actively use YouTube on a monthly basis. 

Might the addition of 4K video into Premium’s perk package bump up that number? Only time will tell. We’ll be keeping an eye on our own YouTube account to see whether this resolution paywall becomes permanent in the coming months.

Axel is a London-based staff writer at TechRadar, reporting on everything from the newest movies to latest Apple developments as part of the site’s daily news output. Having previously written for publications including Esquire and FourFourTwo, Axel is well-versed in the applications of technology beyond the desktop, and his coverage extends from general reporting and analysis to in-depth interviews and opinion. 

Axel studied for a degree in English Literature at the University of Warwick before joining TechRadar in 2020, where he then earned a gold standard NCTJ qualification as part of the company’s inaugural digital training scheme. 

Read More

Continue Reading

Tech

Europe sets deadline for USB-C charging for (almost) all laptops

Published

on

By

Europe sets deadline for USB-C charging for (almost) all laptops

USB-C als Ladestandard in der EU

Mundissima / Shutterstock


Author: Michael Crider
, Staff Writer

Michael is a former graphic designer who’s been building and tweaking desktop computers for longer than he cares to admit. His interests include folk music, football, science fiction, and salsa verde, in no particular order.

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan