Inside a cyberattack method that targets your cellphone
The technique, which kills victims at Twilio and targets others at Cloudflare, combines text messages aimed at tricking victims into clicking a link, relies on the ubiquity of smartphones, seeks to manipulate human nature and works around an increasingly common defensive measure.
A campaign that relied on the technique gained momentum this summer and targeted more than 130 businesses, according to a report by cyber firm Group-IB last month. The attackers compromised nearly 10,000 user credentials.
The technique works like this:
- Hackers send fake text messages to potential victims, tricking them into clicking on a link pretending to be, for example, a member of their employer’s IT team, telling them that their password has expired or that their schedule changed. Commonly known as “phishing” when the lures arrive via email, it’s called “smishing” because it’s a portmanteau of “phishing” and “SMS commonly known as texting.
- The link leads to a fake Okta site or another tool that verifies a login, known as multi-factor authentication or MFA. (Group-IB named the campaign in its 0ktapus report because of the Okta angle.)
- Once the hackers get the code that their victim unwittingly gave them, they can wander around the victims’ networks.
Group IB numbers are dramatic, said Ryan OlsonVice President of Threat Intelligence at Palo Alto Networks Unit 42.
“That means they’ve had success on about 70 people per business on average, and I don’t know what all the businesses are or how big they are, but it was extremely effective for a phishing attack,” I said. Olson said. “If you were to send out a phishing attack via email, you’re lucky if one in 1,000 people even sees the email and passes through the filters, let alone click on it, let alone type its multi-factor authentication code as well. It’s a huge success.”
Olson said his company has already seen imitators of the original campaign and expects it to grow, a view shared by others in the cybersecurity field.
“It will grow”, predicted Angelos Stavroufounder and chief scientific officer of Quokka, a mobile privacy company known until recently as Kryptowire.
In most cases, people don’t have as many defenses on their home phones to block malicious messages as a large organization has on their work email, Olson said. (Separately, the IRS warned of smishing attacks on Wednesday.)
Smishing is a lesser-known threat, and people are more used to clicking on text messages, some of which may be sent by their employer, says Olson. And attackers have learned that they can spam requests for MFA login codes and some people will eventually give in, which is apparently what happened in the Uber breach this month.
AMF is a well-regarded defensive technique touted by federal officials and big tech companies, but as it has become more common, “AMF fatigue” has set in. Often users just want to stop messages and clicking on them is the fastest way. But Olson said you don’t have to be a model to fall for the trap.
Often, users don’t trigger an MFA request until they log in to a system they use at work. But Olson himself recently received an MFA message because it timed out on a system that was idle on his computer. In other words, some office workers receive routine prompts to reauthorize.
For Stavrou, the reason it works is the constant escalation of defense and attack, and how everyday users react.
“As we become more advanced, the opponent has become more advanced,” he told me. “The information presented to the user is growing faster than he can handle it.”
While Oktapus has focused on Okta, Palo Alto Networks has also seen campaigns focused on other authentication tools, like Duo or Microsoft 365.
There are limits to the method of attack. This forces hackers to use a login code within a certain amount of time, but Olson said that process is likely automated. The overall technique, according to Group-IB and others, does not require major skills.
What can hackers do to victims if successful? “Recent revelations reveal that the initial compromises were only part of the attack,” Group-IB noted, highlighting the potential for cryptocurrency theft or the use of stolen information to launch attacks against other victims.
A few keys to repel attacks include physical devices like the Yubikey, which make it harder for hackers to intercept identity verification; use of applications such as Google Authenticator rather than SMS for authentication codes; or employee awareness programs.
Until then, “every time a technique shows this much success, other threat actors will copy it,” Olson said.
Senate committee proposes legislation to help secure open source software
The bill seeks to address issues raised by a major flaw in the log4j software library last year by directing US government agencies to review the risk in systems that rely on volunteer-operated software. Meaning. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), senior senators on the Senate Homeland Security and Governmental Affairs Committee, introduced the bill last week.
The log4j vulnerability thrust open-source software security into the spotlight last year. Director of CISA jen easter called it “the most severe vulnerability I’ve seen in my decades-long career,” but organizations didn’t immediately see massively destructive hacking as feared. However, Log4j remains an “endemic vulnerability” and “vulnerable instances of Log4j will remain in systems for many years, possibly a decade or more,” a Department of Homeland Security panel said in July.
Senior UK official warns of Russian cyberattacks
Lindy Cameronthe chief executive of Britain’s National Cyber Security Center, warned at an event that Russia could be unpredictable in cyberspace and that organizations should stay alert for Russian hacks, the FinancialTimesreports John Paul Rathbone. “There is still a real possibility that Russia could change its approach in the cyber domain and take more risks,” Cameron said.
Cameron also noted that Russia’s cyber operations have been intense. “We haven’t seen ‘cyber Armageddon.’ But… what we have seen is a very significant conflict in cyberspace – probably the most sustained and intensive cyber campaign on record,” she said.
Cameron’s warning echoes similar warnings from Washington, where Easterly reiterated that companies should have their “shields up”, and make sure they are ready for possible Russian cyberattacks.
House Republicans quiz Justice Department on response to Christian group hacks amid abortion furor
Thirteen Republicans on the House Oversight and Reform Committee asked the Attorney General Merrick Garland to provide a briefing on the Department of Justice’s efforts to investigate hacks of Christian organizations and donation sites. Their letter foreshadows a potential investigative lead for Republicans, who could take control of the House in November and launch their own investigations.
Signatories to the letter included Rep. james comer (Ky.), the top Republican on the committee and the top Republicans on the committee’s five panels. They cited hacks targeting the Republican Party of Texas website, Christian crowdfunding website GiveSendGo, and evangelical groups supporting the Supreme Court’s overturning of Roe vs. Wade.
“The Department of Justice must investigate these attacks, which are likely unlawful and clearly intended to chill the right of our citizens to peacefully express their opinions on matters of public importance as well as donations to conservative or religious organizations.” , the lawmakers wrote in the letter. “The citizens of this country should be free to exercise their rights without fear of malicious cyberattacks.” A Justice Department spokesperson declined to comment.
Can Kaspersky survive the war in Ukraine? (CyberScoop)
Australia asks Optus to pay for new customer ID documents (Associated Press)
Israeli firm to sell social media tracking software to Orban’s Hungary (Times of Israel)
Treasury seeks input on how to structure a cyberinsurance program (NextGov)
Stealth hackers target military and weapons suppliers in recent attack (Bleeping Computer)
- The US Naval Institute is hosting an event on cyber threats and misinformation today at 10:30 a.m.
- Representatives. Frank Pallone Jr. (DN.J.) and Cathy McMorrisRodgers (R-Wash.), top-ranking members of the House Energy and Commerce Committee, discuss privacy legislation at a Washington Post Live event today at 11 a.m.
- The Global Tech Security Commission hosts Commerce Secretary Gina Raimondo for a discussion on chip and science law enforcement today at 11:15 a.m.
Thanks for reading. Until tomorrow.