Over the past week, the account credentials for my organization’s Twilio account were stolen and used to send ~10,000 fraudulent SMS messages claiming to be from a major bank.
The passwords have all been changed, the secrets have been rotated, and the “subaccounts” created by the scammer have been removed.
I have no idea how they managed to get the information for this account, and I suspect I’ll never know, since it only occurs in one config file on one server and the access logs for that server do not show any access to the file.
In analyzing the sent messages, I found a number of repetitions of the following text, all sent to the same phone number:
JavaGhost – Mass Twilio Checker
I’m guessing that this is the attacker checking that they still have access to the account, but I’ve been looking around and can’t seem to find any more information (other than that a number of people seem to use the nickname JavaGhost online).
I’m curious if anyone knows more about this type of attack and what is going on with these messages.