Cloudflare Foils SMS Phishing Attack With Security Keys

pcmag.com:

Internet infrastructure provider Cloudflare says it stopped a phishing scheme from compromising the company's network, thanks to the hardware-based security keys it issued to all employees. 

According to Cloudflare, the attempted hack was likely part of the same SMS phishing scheme that breached Twilio, which the company publicly disclosed(Opens in a new window) on Monday. 

“Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees,” Cloudflare wrote in a blog post(Opens in a new window) on Tuesday. "This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached." 

Both Twilio and Cloudflare are now warning that the SMS phishing scheme is targeting staffers at multiple companies. The attack arrives via SMS messages that pretend to come from the employer itself. In Cloudflare’s case, the hackers duped three employees into typing their company passwords into a fake login form. 

But even so, the attackers failed to breach Cloudflare because of those security keys. Unlike two-factor authentication codes, which can be shared online, a hardware key is a physical device. It's often designed to slot into a PC's USB drive, and adds an extra step in the login process, which can't be digitally phished.

In Cloudflare's case, this meant the hackers couldn't break in, unless they could physically steal a security key from one of the phished employees. “While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement,” Cloudflare says.

At least 76 Cloudflare employees received the SMS