What banks can learn from phishing attacks on Cloudflare, Twilio

Cloudflare announced Tuesday it had been the target of a sophisticated phishing campaign that was nearly identical to a campaign against Twilio. The two companies' differing response and preparation also came with differing outcomes.

Threat actors targeted two major tech firms with nearly identical phishing schemes last week. In one case, attackers gained access to data for approximately 125 customers. In the other, they tricked three employees but did not gain any system access to their systems.

In the wake of the attacks, bank cybersecurity experts said the steps by Cloudflare, which suffered no loss of customer data, largely mirror those that financial institutions should also take to fend off phishing attacks. Although Twilio suffered the loss of customer data, the experts said it also took steps to mitigate damage that banks should replicate.

The events come as regulators crack down on financial companies that do not sufficiently protect consumer data. On Thursday, the Consumer Financial Protection Bureau said failure to protect consumer data may violate federal consumer protection law. This is part of a broader CFPB campaign to scrutinize financial institutions and tech firms.

Twilio said it became aware on Aug. 4 of unauthorized access to information related to some Twilio customers. The company did not say what kind of data the attackers accessed but did say there was "no evidence" that customer passwords, authentication tokens, or API keys were compromised. Twilio also said it had already notified affected customers.

The day after Twilio's announcement, Cloudflare announced it faced a similar attack around the same time. The company said three of its employees fell for the phishing message and provided their credentials, but the threat actor was unable to use those credentials to access Cloudflare's systems because employees also use hardware security keys to log into their systems. Attackers cannot forge such keys.

Cloudflare said in the attack against its employees, the phishing site could have also attempted to download a malicious attachment that included legitimate remote access software from AnyDesk. The company said none of the three employees got to that step — seemingly because just before that, they were asked to enter a one-time password. Because Cloudflare doesn't use one-time passwords, the employees apparently realized they were being duped and reported the incident.

Even if the employees had fallen for the one-time-password trick, the company said, its endpoint security system would have prevented installation of the malicious bundle.

Cloudflare CEO Matthew Prince and two security professionals for the company, Daniel Stinson-Diess and Sourov Zaman, said they had been "protected even if not perfect" amid the attack. In other words, their systems prevented the compromise of valuable data and access even though human error occurred and some technical limitations inhibited the defense.

Cloudflare also detailed five steps the company took in response to the incident: blocking the phishing domain, identifying and resetting the compromised credentials, identifying and taking down the infrastructure used by the threat actor, updating detections to identify subsequent attack attempts, and auditing service logs for additional attack indicators.

Banking security experts say those are five steps that banks also ought to take, though when it comes to taking down infrastructure used by threat actors, banks cannot do that themselves but can ask content delivery networks used by the attackers to do so. The other steps they can typically take themselves, including some of the earlier steps Cloudflare took.

"Highly-targeted companies, like financial institutions and their service providers, would be wise to implement hardware tokens for their employees, particularly those in key roles or with privileged access to their systems," said Matt Hartley, co-founder and chief product officer of BreachRx, a cyberincident response company. 

Hartley said these hardware tokens — specifically, FIDO2-compliant security keys made by vendors such as YubiKey — were a "linchpin mechanism" in Cloudflare's defense. The attacker assumed that Cloudflare used multifactor codes sent to employees via text message or an app, which Hartley said is far more common.

Bryan Hornung, CEO of the cybersecurity firm Xact IT Solutions, said that banks could also subscribe to Cloudflare or other content delivery network providers such as Akamai, Amazon, Microsoft and Google to get similar technical abilities like phishing domain monitoring and blocking of malicious websites in the aftermath and lead up to a phishing attack, but that technology is not always sufficient.

For example, the cybercriminals in the phishing attack on Cloudflare registered the phishing domain — cloudflare-okta[dot]com — less than 40 minutes before sending phishing messages to the company's employees. Cloudflare said that was too short a turnaround for its automated phishing domain detection to catch on, which is part of why attackers made it as far as they did.

Hornung said that the "best defense" rather is "a rigorous employee awareness training program with education and fake phishing tests." Similar to Cloudflare, banks also need technology to "isolate impacted targets quickly if there is a widespread breach."

According to Ryan McCarthy, a senior director in the security and privacy practice of the banking consultancy Protiviti, "the most important step" is to block phishing messages from reaching end users. He also said institutions of any size should be able to reset compromised credentials and review available logs to validate that the threat is contained after an incident.

But not all institutions have the same ability to prevent phishing, he pointed out.

"Most banks, aside from the global systemically important financial institutions, won't have the resources to perform takedowns of threat-actor infrastructure," McCarthy said, "but they can still aid the industry by sharing their intelligence with their tech providers and through FS-ISAC for others to take action."

For reprint and licensing requests for this article, click here.
Phishing Cyber security Technology
MORE FROM AMERICAN BANKER