Think you’re too smart to be fooled by a phisher? Think again.
There has been a recent flurry of phishing attacks so surgically precise and well-executed that they’ve managed to fool some of the most aware people working in the cybersecurity industry. On Monday, Tuesday, and Wednesday, two-factor authentication provider Twilio, content delivery network Cloudflare, and network equipment maker Cisco said phishers in possession of phone numbers belonging to employees and employee family members had tricked their employees into revealing their credentials. The phishers gained access to internal systems of Twilio and Cisco. Cloudflare’s hardware-based 2FA keys prevented the phishers from accessing its systems.
The phishers were persistent, methodical and had clearly done their homework. In one minute, at least 76 Cloudflare employees received text messages that used various ruses to trick them into logging into what they believed was their work account. The phishing website used a domain (cloudflare-okta.com) that had been registered 40 minutes before the message flurry, thwarting a system Cloudflare uses to be alerted when the domains using its name are created (presumably because it takes time for new entries to populate). The phishers also had the means to defeat forms of 2FA that rely on one-time passwords generated by authenticator apps or sent through text messages.
Creating a sense of urgency
Like Cloudflare, both Twilio and Cisco received text messages or phone calls that were also sent under the premise that there were urgent circumstances—a sudden change in a schedule, a password expiring, or a call under the guise of a trusted organization—necessitating that the target takes action quickly.
On Wednesday, it was my turn. At 3:54 pm PT, I received an email purporting to be from Twitter, informing me my Twitter account had just been verified. I was immediately suspicious because I hadn’t applied for verification and didn’t really want to. But the headers showed that the email originated from twitter.com, the link (which I opened in Tor on a secure machine) led to the real Twitter.com site, and nothing in the email or linked page asked me to provide any information. I also noticed that a checkmark had suddenly appeared on my profile page.
Satisfied the email was genuine, I noted my surprise on Twitter at 3:55.
Seconds later, at 3:56, I received a direct message purporting to come from Twitter’s verification department. It said that for my verification to become permanent, I needed to respond to the message with either my driver’s license, passport, or other government-issued ID.
I have strong feelings about the inappropriateness of Twitter—a company that has been hacked at least three times and admitted to misusing user phone numbers—asking for this kind of data. I was mad. It was near the end of my workday. I was still surprised at the unexpected and unfaked gifting by Twitter of a checkmark I hadn’t asked for. So without thoroughly reading the DM, I tweeted a screenshot of it, along with a cynical comment about Twitter not being trustworthy.
The thing is, the DM used broken English; the user handle was named Support, followed by a bunch of numbers; the account was locked. The DM is a textbook example of a phish, with all the hallmarks of a scam. So why was my first impression that this message was genuine? There are a few reasons.
The timing of the DM was the first. I didn’t look at the timestamps until later, so they seemed to arrive simultaneously. Somehow, that seemed too unlikely to be anything other than real. The DM related to something that had just happened, something that I hadn’t expected. In my state of surprise, I think I briefly suspended my critical judgment. Besides, I had already suspected that the email was a scam and was proved wrong.
I also have long held the belief that phishers aren’t all that bright, else they’d rely on more technical means of breaching a target’s security. That gave me a sense of invincibility. The person behind the DM almost certainly relied on a script that either monitored new Twitter verifications or my timeline and swooped in almost immediately after the verification went into effect, probably with the use of an automated script. In retrospect, that’s an obvious thing for a phisher to do, but it hadn’t occurred to me before that someone would be this determined and resourceful.
Even if I hadn’t been averse to sending Twitter my ID, and even if I was like many who covet the verification checkmark (I don’t; I think they’re a status symbol akin to vanity license plates and can’t be relied on to verify anything), I think I would have noticed the obvious signs of fraud before I followed the request to send my ID. I’ve learned to delay responding to requests like these for at least a few hours and, ideally, a day or two. That gives me a few chances to read the message, hopefully in a clearer state of mind.
But there’s no denying that I initially thought the DM was genuine. And there’s no doubt that the Twilio, Cloudflare, and Cisco employees thought the messages they received were genuine, too.
Defend yourself
First, for clarity, a quick explanation. My Twitter account really was verified. I still don’t know why. It may be that Twitter did it unilaterally, possibly because the company wants to verify journalists or wants to increase the number of verified users it has. It’s also possible that someone at my employer Conde Nast made this happen and somehow this didn’t get communicated to me. The main thing is my account really did get verified. The phisher, either using a bot that monitors new verifications or seeing my tweet, quickly capitalized on this.
Ultimately, I didn’t act on the phish, but consider the speed at which I took a screenshot and tweeted it. I acted on it before I had fully read it. I’d like to think there’s no way I would have actually sent the info to Twitter, even if I had really wanted the verification, but if I can twee out a screenshot, I can probably do other, worse things on impulse too.
So how do we protect ourselves in situations like these?
Critical judgment and a keen eye are no doubt the first line of defense against phishing attacks. That means looking for the usual things: poor grammar or spelling, domain or account names that depart from the normal ones a company uses, messages that make us feel scared, angry, or surprised. But this can’t be the only defense, as all four of the incidents mentioned here show.
2FA is the next line of defense, although in my case, it wouldn’t have done anything since the phishers were after my ID and not trying to get into my account. Both Google and Twitter offer a form of 2FA that uses physical security keys only. This form of 2FA is unphishable and is the gold standard.
Sadly, on many other sites, 2FA isn’t as strong a defense against phishing as many people think. Github, Facebook, and most other sites that offer hardware-based 2FA require users to fall back on one-time passwords, in some cases sent through the horribly insecure medium of SMS. If someone can get phished for a password, they can get phished for a one-time password, too, or in the case of a Cisco employee be tricked into accepting a 2FA push notification. While any form of 2FA is better than none, the industry has a long way to go in firming up this important security measure.
The most important defense is remaining humble and not falling into the mindset that we would never get pulled in by a phisher. Phishers are more sophisticated than we may think. They come up with new tricks all the time. It’s only a matter of time until one of them throws us off balance.
As Cloudflare officials wrote in their disclosure: “Having a paranoid but blame-free culture is critical for security. The three employees who fell for the phishing scam were not reprimanded. We’re all human, and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up.”
Post updated to add seventh-, eighth-, and ninth-to-last paragraphs.
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
