< Back
“See Yourself in Cyber”
Post on October 4th, 2022

The Cloudflare Attack

October is Cybersecurity Awareness month. This observance established in 2004 by the United States President and Congress to raise Cybersecurity Awareness is led by the Cybersecurity & Infrastructure Security Agency (“CISA”) and National Cybersecurity Alliance (“NCA”). This year’s theme for CISA’s Cybersecurity Awareness campaign is “See Yourself in Cyber.”

OBLIC is joining CISA’s efforts by devoting all OBLIC Alerts in October to Cybersecurity Awareness. We will help lawyers “see themselves in cyber” by sharing stories of reported cyberattacks. We hope that these stories will help lawyers recognize their vulnerabilities to similar attacks and learn how available resources could help avoid the same victimization.

We kick off the month with a story with a happy ending. Recently Cloudflare, a company that provides performance and security services for website owners, prevented a cyberattack from compromising company data. In The mechanics of a sophisticated phishing scam and how we stopped it, Cloudflare describes the attack in detail. The story provides a helpful insight into the sophistication of some of these attacks and the importance of strong security procedures and an incident response plan.

The Scam

The attacker sent out 100+ text messages to Cloudflare employees and their families that alerted the recipient that their work schedule had been updated and provided a link to view the changes.

Cloudflare had an established policy that instructed employees to report suspicious emails and text messages immediately. Within a minute after the text messages went out, Cloudflare began receiving reports of the texts from employees. The text successfully duped three employees who tapped on the link.

The link took these employees to a website created by the attacker that looked identical to Cloudflare’s actual login page. The three employees who followed the link proceeded to input their usernames and passwords. The attacker collected employees’ usernames and passwords in real time from the dummy website and entered them into Cloudflare’s actual log in page.

The dummy website then prompted the employees to enter a two-factor authentication (TFA) passcode. The prompt for the TFA passcode was presumably based upon the attacker’s assumption that the actual log in page would require input of a TFA passcode that had been texted to the employee. The prompt on the dummy website would have allowed the attacker to collect that passcode and use it on the actual log in page before the passcode expired. The attack was thwarted because Cloudflare’s two-factor authentication process did not use passcodes. Instead, Cloudflare used a hardware security key for access to Cloudflare’s system.

Within minutes of the first report of the suspicious text, Cloudflare was able to block the dummy website domain from corporate devices, disable the credentials of the impacted employees, and send out a warning communication to all other employees. An investigation following the attack revealed that, had the employee input a passcode, the attacker’s website would have initiated the download of malware that included remote access software that the attacker could use to control the employees’ machines remotely.

Lessons Learned

Cloudflare’s cybersecurity procedures provided several layers of security that helped Cloudflare avoid a breach.

  1. Cloudflare trained its staff to recognize suspicious texts.
  2. Cloudflare had reporting procedures in place and trained its employees on how to use them effectively.
  3. Cloudflare engaged the appropriate specialists immediately to block the attacker and disable the credentials of the duped employees.
  4. Secure two-factor authentication protected access to Cloudflare’s data.

How to Apply the Lessons Learned

Not all cyberattacks are as sophisticated and as well conceived as the one targeted at Cloudflare. However, the same security features employed by Cloudflare are useful in protecting lawyers and law firms against any cyberattack.

  • Employees and staff need to be trained to recognize the suspicious communications and know what to do when they receive one.
  • Access to law firm data should be protected through strong passwords and two-factor authentication.
  • Law firms also need to have an incident response plan in place to mobilize the appropriate specialists in the event of an attack.

OBLIC provides as a benefit to all policyholders online access to a Cyber Toolbox that contains training materials, sample incident response plans and other resources. We urge our policyholders to make use of these materials and to review the cybersecurity tips in our OBLIC Alerts:

As always, if you have any questions, please contact us. We are here to help!

Gretchen K. Mote, Esq.
Director of Loss Prevention
Ohio Bar Liability Insurance Co.
Direct:  614 572 0620
[email protected]
Monica Waller, Esq.
Senior Loss Prevention Counsel
Ohio Bar Liability Insurance Co.
Direct:  614 859 2978
[email protected]