According to Cloudflare, it almost fell for a phishing scam

Cloudflare workers were recently the subject of a “sophisticated” hack, but the DDoS protection firm was able to effectively defend itself despite the fact that some fell for the plan.

Co-founder Matthew Prince, together with team members Daniel Stinson-Diess and Sourov Zaman, wrote a blog post (opens in new tab) to describe how the attack occurred and what was responsible for the company’s success or failure.

Before the attack, the threat actor registered the domain cloudflare-okta.com, which seemed real and fooled many victims. Cloudflare uses Okta as its authentication service. They also obtained the phone numbers of over 80 Cloudflare workers, as well as those of some of the employees’ family members.

Security keys vs. time-based passcodes:

To determine how the attackers got their hands on these phone numbers, Cloudflare examined its access logs and found no evidence of penetration.

They then used DigitalOcean to host a phishing website that looked just like the real Okta login page. Using a Telegram botnet, they were able to send the user’s login information to the attackers in real time. Using this method would allow the thieves to bypass the Okta login page and gain the victim’s two-factor authentication in no time.

They sent out an SMS message to everyone stating “Alert! Cloudflare schedule has been modified,” along with a link, after all the preparations were complete.

Most workers were not fooled, but there were a few who were. In any case, the attackers were unable to get access to Cloudflare’s systems because of the company’s extra security procedures. FIDO2-compliant security keys are used instead of Time-based One-Time Passcode (TOTP).

In order to get access to any of our systems, even a sophisticated, real-time phishing operation like this would be unable to obtain the essential information, the authors said. In spite of their best efforts, the attackers were unable to gain access to our systems using the compromised login and password information.

Although Cloudflare seems to have escaped this particular bullet, Cloudflare warns that many other victims may have been affected by this sophisticated attempt. Endpoints having AnyDesk remote access software were most likely infected by those who were tricked (opens in new tab). According to the business, if such programme were installed, an attacker would be able to manage the victim’s computer remotely.

Twilio also recently disclosed that it had been targeted by the same kind of phishing assault, in which hackers fooled corporate workers into handing over their login credentials, which were then used to get access to the company network, map out the endpoints, and steal even more data.