Security Key NFC by Yubico (Credit: PCMag)
Internet infrastructure provider Cloudflare says it stopped a phishing scheme from compromising the company's network, thanks to the hardware-basedsecurity keysit issued to all employees.
According to Cloudflare, the attempted hack was likely part of the same SMS phishing scheme that breached Twilio, which the company publiclydisclosed(Opens in a new window)on Monday.
“Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees,” Cloudflare wrote in ablog post(Opens in a new window)on Tuesday. "This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached."
Both Twilio and Cloudflare are now warning that the SMS phishing scheme is targeting staffers at multiple companies. The attack arrives via SMS messages that pretend to come from the employer itself. In Cloudflare’s case, the hackers duped three employees into typing their company passwords into a fake login form.
But even so, the attackers failed to breach Cloudflare because of thosesecurity keys. Unlike two-factor authentication codes, which can be shared online, a hardware key is a physical device. It's often designed to slot into a PC's USB drive, and adds an extra step in the login process, which can't be digitally phished.
In Cloudflare's case, this meant the hackers couldn't break in, unless they could physically steal a security key from one of the phished employees. “While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement,” Cloudflare says.
At least 76 Cloudflare employees received the SMS phishing messages from the attackers. The messages specifically said: “Alert!! Your Cloudflare schedule has been updated, Please tap cloudflare-okta.com to view your changes.” However, the cloudflare-okta.com was actually a hacker-controlled domain hosting a fake login page capable of stealing passwords.
The phishing technique was also designed to defeat two-factor authentication systems. Cloudflare points out the attacker’s fake login page can display a prompt for the time-based, one-time passcodes. “The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker,” the company said. “The attacker could then, before the TOTP code expired, use it to access the company’s actual login page.”
It remains unclear who was behind the SMS phishing scheme and how they gained access to mobile phone numbers belonging to so many Cloudflare employees. But Cloudflare's data shows the attacker used a Windows 10 machine runningMullvad VPNduring the failed login attempts.
该公司补充说,没有经历过违反ince it rolled out hardware security keys to all employees. For more information on how security keys work, check out ourbeplay手机官网下载.
Like What You're Reading?
Sign up forSecurityWatchnewsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to ourTerms of UseandPrivacy Policy. You may unsubscribe from the newsletters at any time.
那nks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
