Phishing can take many forms and while email phishing is by far the most common way that threat actors phish for sensitive information and distribute malware, other forms of phishing are increasingly being used in attacks on businesses. Cybercriminals are taking advantage of the relatively poor defenses against SMS phishing – smishing. These attacks may be relatively low-tech, but they can be extremely successful.

Smishing involves making contact with targeted individuals via SMS messages. These attacks trick the recipient into clicking a link that directs them to a malicious website. That website may host a phishing kit that collects sensitive data such as login credentials. The website to which the user is directed spoofs a trusted company or may appear to be a website used by the targeted individual’s employer.

An alternate approach is to direct a user to a website hosting a malicious file, which provides the attacker with remote access to their device. If that device is a corporate-issued mobile phone, and single sign-on credentials are stolen, access can be gained to the corporate network. These attacks may be relatively simplistic and be sent in large campaigns to whatever phone numbers the attacker has procured, but some attacks are highly sophisticated and can defeat multi-factor authentication.

One of the most notable examples occurred this month and involved an attack on Twilio. Twilio is a provider of programmable communication tools for making and receiving phone calls and sending and receiving text messages, through its web service APIs. The smishing attack targeted Twilio employees and tricked them into disclosing their credentials, which allowed the attackers to access their accounts and also access the information of a limited number of its customers. The SMS messages themselves appeared to have been sent by the Twilio IT department and suggested the employees’ passwords had expired.

A link was included that employees could click to change their passwords, with the landing page created to mimic the one used by Twilio. Those URLs hosted the 0ktapus phishing kit, with the URLs including familiar words, such as Okta, Twilio, and SSO. The single sign-on credentials obtained in the attack allowed the attackers to gain access to multiple internal systems. They were then able to conduct attacks on 25 companies that used Twilio’s phone verification services and other Twilio services.

An investigation by researchers at Group IB revealed the attackers had successfully compromised more than 130 organizations and from those attacks, stole almost 10,000 sets of credentials, including 2-factor authentication credentials. Supply chain attacks were then conducted on downstream customers, including DoorDash, Digital Ocean, Mailchimp, and Klaviyo.

These attacks have been made much easier due to the reliance on mobile devices, especially with many companies having a hybrid workforce with many employees spending at least some of the working week at home. It is essential for security teams to implement security solutions that cover the mobile attack surface and to ensure that smishing and other types of phishing attacks are covered in employee security awareness training.