Same hackers attacked communications giant Twilio and as part of the breach, end-to-end encrypted messaging app Signal revealed last week that hackers accessed the phone numbers and SMS verification codes of 1,900 users.
According to cybersecurity company Group-IB, the attack on Twilio was part of a wider campaign by “0ktapus” hacking group.
Based on the request from our client, and from public reports made by Twilio and Cloudflare, the attacks were well designed and executed,” Group-IB said in a blogpost.
The attackers targeted employees of companies that are customers of Identity and Access Management (IAM) leader Okta.
These employees received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.
In total, the Group-IB Threat Intelligence team detected 169 unique domains involved in the Oktapus campaign.
“At this time, it became very clear that the threat actors’ immediate intentions were to gain access to the corporate services of the organisations,” said the researchers.
Twilio, which owns popular two-factor authentication (2FA) Authy, earlier said that it became aware of unauthorised access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.
The Group-IB analysis shows that most targeted companies are located in the US. Some of the affected are headquartered in other countries but have US-based employees that were targeted.