How One Large Tech Company Thwarted a Highly Sophisticated Phishing Attack

Phishing attacks are becoming all too common, and they are becoming increasingly sophisticated, leveraging text messages to trick employees not clicking links. However, the use of multi-factor security keys, robust security practices and a strong culture of security can help thwart them, as evidenced by a recent attack against Cloudflare.

The web performance and security provider, in a recent blog, says it was the target of a sophisticated phishing attack in which over 100 employees got text messages on their work and personal phones, with some messages also being sent to employees’ family members.

It’s unclear how attackers assembled the list of employee phone numbers, but the company says it stopped the attack thanks to its use of its Cloudflare One products and physical security keys that are required by employees to access applications.

In a blog, the company says the attack appears similar to one that led to the compromise of some Twilio employee accounts. The attack included messages to employee phones that purported to be from its IT department asking employees to log in to a fake URL, using words like Twilio, Okta and SSO to try and trick users into clicking the link.

Calling the attack highly sophisticated, Cloudlfare says this would result in a security breach at most organizations.

Similar to Twilio, Cloudflare employees began receiving legitimate-looking texts pointing to what looked like a Cloudflare Okta login page. Over the course of a minute, at least 76 employees got similar messages on their work and personal phones.

They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com. That domain had been registered via Porkbun, a domain registrar, at 2022-07-20 22:13:04 UTC — less than 40 minutes before the phishing campaign began.

Since Cloudlfare uses Okta as its identity provider, the phishing page seemed legitimate, as it was designed to look identical to a legitimate Okta login page.

When credentials were entered on the phishing page, they were related to attackers via Telegram. Simultaneously, the phishing page would prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

The company says three employees fell for the phishing message and entered credentials, but since the company uses FIDO2-compliant security keys and not TOTP codes, attackers could not get past the hard key requirement.

The phishing page was not only after credentials and TOTP codes, but would also initiate the download of a payload that included AnyDesk remote access software. That would have allowed an attacker to control a victim’s machine remotely, but the attackers never got to that step in the Cloudflare case, the company says, adding that endpoint security software would have stopped the installation anyway.

Cloudflare says it is took five main actions, including blocking the phishing domain using Cloudflare Gateway, resetting compromised credentials,  shutting down the attacker’s infrastructure, updating detections to identify further attacks and auditing service access logs.

The company says the attack reinforced the importance of using security keys to prevent phishing attacks, using security tools (Cloudflare’s own technology) and having a “paranoid but blame-free culture.”