Connect with us

Tech

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Published

on

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

PHISHERS OF MEN —

Unusually resourced threat actor has targeted multiple companies in recent days.


Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Getty Images

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees’ family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company’s internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio’s disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

Well-organized, sophisticated, methodical

In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee’s schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.

Cloudflare

Twilio

The threat actor carried out its attack with almost surgical precision. When the attacks on Cloudflare, at least 76 employees received a message in the first minute. The messages came from a variety of phone numbers belonging to T-Mobile. The domain used in the attack had been registered only 40 minutes prior, thwarting the domain protection Cloudflare uses to ferret out impostor sites.

“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated, and methodical in their actions,” Twilio wrote. “We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts. Socially engineered attacks are—by their very nature—complex, advanced, and built to challenge even the most advanced defenses.”

Matthew Prince, Daniel Stinson-Diess, Sourov Zaman—Cloudflare’s CEO, senior security engineer and incident response leader respectively—had a similar take.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” they wrote. “Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.”

Twilio and Cloudflare said they don’t know how the phishers obtained employee numbers.

It’s impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company’s use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.

The Cloudflare officials explained:

When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

Cloudflare

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.

Cloudflare went on to say it wasn’t disciplining the employees who fell for the scam and explained why.

“Having a paranoid but blame-free culture is critical for security,” the officials wrote. “The three employees who fell for the phishing scam were not reprimanded. We’re all human and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up.”

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech

Microsoft Teams is finally fixing this ear-splitting annoyance

Published

on

By

Microsoft Teams is finally fixing this ear-splitting annoyance
Four people in a meeting room video conferencing with four remote participants.



(Image credit: Microsoft)

One of the most irritating (and slightly painful) parts of joining a Microsoft Teams call could soon be fixed by a new update.

The video conferencing service is a popular choice for many companies, meaning calls with large numbers of participants joining at the same time, and from the same location (such as a meeting room) are a common occurrence. 

However, often when multiple people join a meeting in the same room, a feedback loop is created, which causes echo, which in most cases quickly escalates to howling – with Microsoft likening the noise to when a musician holds the mic too close to a loudspeaker.

Teams’ howling

Fortunately, a new fix is coming for Microsoft Teams users. In its entry in the official Microsoft 365 roadmap (opens in new tab), the new “Ultrasound Howling Detection” describes how it aims to prevent this noise for users on Windows and Mac across the world.

Microsoft says that the update should mean if multiple users on laptops join from the same location, it will share with the user that another Teams Device is detected in their vicinity and is already joined with audio to the current meeting. 

If a user has already joined with their audio on, Microsoft Teams will automatically mute the mic and speakers of any new the person who then joins the call, hopefully putting an end to the howling and screeching feedback.

Thankfully, the update is already listed as being in development, with an expected general availability date of March 2023, so users shouldn’t have to wait too long to enjoy.

The news follows a number of recent updates largely aimed around improving the audio quality on Microsoft Teams calls using AI and machine learning.

The new updates are the result of using a machine learning model trained on 30,000 hours of speech samples, and include echo cancellation, better adjusting audio in poor acoustic environments, and allowing users to speak and hear at the same time without interruptions.

Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK’s leading national newspapers and fellow Future title ITProPortal, and when he’s not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Read More

Continue Reading

Tech

Shazam! Fury of the Gods trailer breakdown: 6 thing you might have missed

Published

on

By

Shazam! Fury of the Gods trailer breakdown: 6 thing you might have missed
Shazam points at someone off camera in Shazam! Fury of the Gods



Shazam! Fury of the Gods lands in theaters on March 17.
(Image credit: Warner Bros.)

The final trailer for Shazam! Fury of the Gods has debuted online – and it looks even more charming, funnier, frenetic, and darker than its predecessor.

Shazam’s sequel flick arrives in theaters worldwide on March 17, so it’s about time we were given another look at the forthcoming DC Extended Universe movie (read our DC movies in order guide to find out where it’ll fit in that timeline). Luckily, Warner Bros. has duly obliged. Check it out below:

Okay, there’s some messy CGI and a slightly corny vibe about Shazam 2. But hey, the first problem can be ironed out before the superhero film takes flight, while the latter is part of what makes this movie series spellbinding (see what we did there?).

But we digress – you’re here because you want to find out what you missed from Shazam! Fury of the Gods‘ new trailer. Below, we’ve pointed out six things you might have overlooked. So, what are you waiting for? Shout “Shazam!” and let’s dive in.

1. Who are the Daughters of Atlas?

Kalypso hands Hespera the wizard's staff in Shazam! Fury of the Gods

New movie, new villains. (Image credit: Warner Bros.)

For a film centered around Shazam, we don’t actually see the titular superhero appear in the official trailer for the first 20 seconds.

Instead, we get another glimpse at Fury of the Gods‘ villains, aka the Daughters of Atlas. The powerful trio comprises the power-hungry Hespera (Helen Millen), dragon-riding Kalypso (Lucy Liu), and Athena (Rachel Zegler), the latter of whom seems particularly torn about how the sisters are going about their business.

So, why are they gunning for Shazam and his superpowered foster siblings? Essentially, when Billy Batson was gifted his abilities by Djimon Hounsou’s wizard in the film film (available now on HBO Max), one of those powers was the Stamina of Atlas. The Daughters of Atlas aren’t too happy about their father’s ability being passed down to a child, so they want to take back what is theirs – and they’ll do it so by any means necessary.

2. Mythological monsters

A dragon prepares to breathe fire at one of Shazam's fellow heroes in Shazam! Fury of the Gods

Shazam isn’t the only person taking flight in Fury of the Gods. (Image credit: Warner Bros.)

Shazam’s first DCEU outing featured some horror-imbued creatures in the form of the Seven Deadly Sins. How, then, do you go about topping (or, at the very least) matching what came before? Throw in a bunch of myth-based monsters, of course.

Kalypso’s imposing dragon is the most notable inclusion. It feature prominently throughout the trailer, and we even get an amusing Game of Thrones reference from Shazam – “Hey, Khaleesi!” – in the movie. Hey, Warner Bros. loves to mention its suite of IPs in as many of its films as possible.

But Kalypso’s wyvern isn’t the only fairy-tale-based beast we see. Minotaurs, griffons, and demonic unicorns are just three of the other monsters who’ll turn up in Fury of the Gods. Basically, don’t expect this to be an easy fight for Shazam and company to save the world.

3. You can’t get the staff these days

Hespera uses the wizard's staff as Kalypso looks on in Shazam! Fury of the Gods

“So I just point it and then what?” (Image credit: Warner Bros.)

Saving earth from a new titanic threat will be even harder when Shazam’s adoptive family are stripped of their powers, too. And it seems that the staff, which was wielded by Hounsou’s wizard in the first movie, is the key to giving and taking those abilities away.

In 2019’s Shazam!, the titular hero gave powers to his foster siblings to help him combat the Seven Deadly Sins and Doctor Sivana. They’ve still got those power in Fury of the Gods, too, but they won’t have them for long, based by what the trailer suggests.

The footage shows Freddy Freeman and Mary Bromfield being drained of their abilities by the Daughters of Atlas at various points. The trio are using the wizard’s staff to rob the teens of their powers, so it’s clearly of major importance to the movie’s main players. 

Later, we see Shazam wielding it – not before he asks the wizard to take his powers back, mind you, when he becomes convinced he can’t defeat the Daughters of Atlas. Anyway, Shazam’s brandishing of the staff suggests he needs it to boost his own abilities if he’s going to defeat the movie’s antagonists and give his siblings their powers back. Expect the staff to play a vital role in Fury of the Gods‘ plot, then.

4. Prison break

Djimon Hounsou's wizard blows som magic dust out of a prison window in Shazam! Fury of the Gods

Time to break out, Mr. Wizard. (Image credit: Warner Bros.)

In order to get the wizard’s staff, it seems the Daughters of Atlas go after Hounsou’s magic wielder to obtain it.

We see Hounsou’s character imprisoned at various points, including a shot of Hespera chastising him for giving the power of the gods to Billy, Freddy, and company. “You ripped it from our father’s core,” she tells him, which implies Hounsou’s wizard might not be as mighty and heroic as we were led to believe.

Anyway, Hounsou’s wizard interacts with Shazam later in the trailer, so he clearly escapes captivity. Whether he does so alone, or he enlists Shazam’s help – does that magic-infused dust, which he sends through his prison cell window, have something to do with it? – is unclear. Regardless, we’ll see Hounsou’s character break out at some stage.

5. Is that you, Doctor Strange?

Shazam flies past some rotating buildings in Shazam! Fury of the Gods

Where have we seen this kind of aesthetic before? (Image credit: Warner Bros.)

Remember when we said Zegler’s Athena doesn’t seem as keen to destroy earth as her sisters? That’s because, at the 1: 14 mark, we see her use her powers with a uncertain look on her face. You wouldn’t look like that if you were convinced you were doing the right thing, would you? 

Based on the fact she’s pushed away by Kalypso (using the staff no less), seconds later, it seems she’ll be swapping sides at some stage.

Interestingly, it seems the wizard’s staff can do more than give or take a person’s powers away. One perceived ability certainly has an air of the Doctor Strange/Marvel-based mystic arts about them. Just look at the Escher-style nature of how the scenery bends and folds in on itself when Athena is pushed back, and when Shazam evades numerous buildings at the 1: 44 mark. We’d be very surprised if DC and Warner Bros. didn’t take a leaf out of the MCU’s book with such an aesthetic.

6. Light the way

Shazam prepares to fight Kalypso and her dragon in Shazam! Fury of the Gods

A yellow bolt out of the blue. (Image credit: Warner Bros.)

Shazam and his fellow superheroes get a costume upgrade in Fury of the Gods. The group’s threads are more streamlined and less plastic-looking this time around, which is pleasing to see.

Fans had been worried, though, that these suits wouldn’t feature one of the first movie’s most underrated (if somewhat tacky) aspects: the glowing lightning bolt on Shazam’s chest. Shazam’s costume in the 2019 movie was manufactured in a way that allowed the bolt to physically light up, avoiding the problem of having to add awkward lighting effects during the post-production phase.

Thankfully, Shazam! Fury of the Gods‘ official trailer confirms that Shazam’s lightning bolt will glow. However, given the sleeker look of the costumes this time around, it appears that the illumination effect has been added in post. Regardless of how it’s been implemented, we’re just glad it’s a feature that’s been retained.

For more DCEU-based coverage, find out where we placed 2019’s Shazam! in our DC movies ranked article. Additionally, read up on the best superhero films of all-time or check out how to watch the Batman movies in order.

Sign up to get breaking news, reviews, opinion, analysis and more, plus the hottest tech deals!

As TechRadar’s entertainment reporter, Tom covers all of the latest movies, TV shows, and streaming service news that you need to know about. You’ll regularly find him writing about the Marvel Cinematic Universe, Star Wars, Netflix, Prime Video, Disney Plus, and many other topics of interest.

An NCTJ-accredited journalist, Tom also writes reviews, analytical articles, opinion pieces, and interview-led features on the biggest franchises, actors, directors and other industry leaders. You may see his quotes pop up in the odd official Marvel Studios video, too, such as this Moon Knight TV spot (opens in new tab).

Away from work, Tom can be found checking out the latest video games, immersing himself in his favorite sporting pastime of football, reading the many unread books on his shelf, staying fit at the gym, and petting every dog he comes across.

Got a scoop, interesting story, or an intriguing angle on the latest news in entertainment? Feel free to drop him a line.

Read More

Continue Reading

Tech

You can lock Chrome incognito tabs on Android now. Bring it to the PC!

Published

on

By

You can lock Chrome incognito tabs on Android now. Bring it to the PC!

Chrome logo on a phone with a lock image over it

Image: Deepanker Verma / Pexels


Author: Alaina Yee
, Senior Editor

Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering PC building, computer components, mini-PCs, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan