Twilio fraud attack summary

linkTimeline

Thursday, Jul 18 2019

  • 4:00 PM - Attack begins to slowly ramp up

  • 6:39 PM - First Twilio email, blocking Serbia prefix +381604427

  • 7:21 PM - Attacker switches to only using UK phone numbers (+44)

  • 7:25 PM - Responded to Twilio to request account suspension

  • 7:30 PM - Our anti-abuse system kicks in, starts blocking excessive phone verification endpoint requests

  • 7:31 PM - We blocked IPs associated with requests

  • 7:47 PM - Twilio responds that account is suspended



linkThe attack


Attack started around 6 PM, with most expensive calls being those that were disconnected at 7:30 PM (remaining connected for long periods of time). These ended after billing was turned off, resulting in ~ $-1600 account balance. These were not ended by Twilio, despite being similar Serbia (+389) prefixes to what they blocked at 6:39 PM


Switched to +44 (UK) numbers once Twilio started banning Serbia, etc prefixes.


  • Total number of attempted calls: ~1,090

  • busy: 30

  • canceled: 2

  • completed: 554

  • no answer: 104



linkRandom tidbits

  • Twilio customer for ~8 years

  • Typical bill has grown from ~$30/month to a peak of ~$200/month for all services (Voice, SMS, and Lookup).

  • Integration of voice verification pre-dates Twilio's "risky countries" geographic permissions segmentation.

  • We've slowly enabled additional geographic permissions over time, as our customers have contacted support.

  • Attacker used UK numbers - not exactly a "risky country" which could be omitted from Voice verification

  • Authy - which is owned by Twilio - only put their own protections against toll fraud into effect in Feb 2019



linkCall volume and charges


~550 calls, to the tune of ~$4500



Typical monthly bill around $50 for voice, ~10 calls (outbound) per day:



Our rate limiting blocked 249 calls, probably would have been another $2000-$2500: