Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 911
- Points
- 113
Why is relying on two-factor authentication not a good idea?
These days, two-factor authentication (2FA) has become the security standard for most websites and online services. Some countries have even passed laws requiring certain organizations to protect user accounts using 2FA. However, the popularity of this measure has led to the development of many methods of hacking or circumventing it, constantly evolving and adapting to modern realities.
According to new data, attackers are increasingly using so-called OTP bots to steal 2FA codes. These simple programs pose a serious threat to both users and online services.
An OTP bot is software designed to intercept one-time passwords using social engineering. The functionality of bots ranges from simple scripts for specific organizations to highly customizable configurations with a wide range of scripts in different languages and with different voices.
A typical fraud scheme using an OTP bot involves the following steps: the attacker obtains the victim's credentials and tries to log in to her account, the victim receives a one-time password for the phone, the OTP bot calls the victim and, following a pre-prepared script, convinces her to share the code. The victim enters the verification code without interrupting the call, and the attacker receives this code through a special control panel or Telegram bot and uses it to log in to the account.
Bot developers try to make them as attractive as possible for intruders. For example, one OTP bot offers more than a dozen features, including round-the-clock technical support, scripts in various languages, the ability to choose a female or male voice, and caller number substitution.
To be more convincing, some OTP bots can display the official phone number of the organization they are calling on behalf of on the victim's phone screen. Bots can also detect if a call has been forwarded to voicemail and end the call. Bot developers compete to include as many features as possible at an attractive price — the subscription price can reach $ 420 per week.
In addition to OTP bots, fraudsters also use multi-purpose phishing kits to intercept one-time passwords in real time. These kits mimic the websites of banks, payment systems, online stores, cloud services, delivery services, crypto exchanges, and email services, requesting victims ' personal data, including usernames, passwords, 2FA codes, bank card numbers, CVV codes, and even dates of birth.
In a multi-stage phishing attack, the victim first enters their credentials on a fake site, and then, when you need to enter a one-time password for additional verification, a form for entering the code appears on the same site. After receiving an OTP, attackers can request even more confidential information from the victim under the pretext of confirming their personal data.
Some bots allow you to send a text message to the victim in advance with a warning about an upcoming call from an employee of a company. This is a psychological trick designed to gain a person's trust — first a promise, and then its fulfillment. An alarm message can also make you wait in suspense for a call.
Kaspersky Lab statistics show that in May 2024, their tools prevented 69,984 attempts to visit sites created using phishing kits aimed at banks. It also detected 1,262 phishing pages generated by 10 multi-purpose OTP interception kits.
The peak activity of phishing pages occurred in the first week of May and coincided with a surge in the activity of one of the sets. Experts note that scammers can get victims source data, such as usernames, passwords, and phone numbers from leaks on the Internet, on the dark market, or through phishing sites.
To protect your accounts from scammers, experts recommend:
Representatives of the cybersecurity industry urge users to be vigilant and follow the basic rules of digital hygiene, so as not to become victims of fraudsters using OTP bots and phishing kits to steal personal data and bypass two-factor authentication.
These days, two-factor authentication (2FA) has become the security standard for most websites and online services. Some countries have even passed laws requiring certain organizations to protect user accounts using 2FA. However, the popularity of this measure has led to the development of many methods of hacking or circumventing it, constantly evolving and adapting to modern realities.
According to new data, attackers are increasingly using so-called OTP bots to steal 2FA codes. These simple programs pose a serious threat to both users and online services.
An OTP bot is software designed to intercept one-time passwords using social engineering. The functionality of bots ranges from simple scripts for specific organizations to highly customizable configurations with a wide range of scripts in different languages and with different voices.
A typical fraud scheme using an OTP bot involves the following steps: the attacker obtains the victim's credentials and tries to log in to her account, the victim receives a one-time password for the phone, the OTP bot calls the victim and, following a pre-prepared script, convinces her to share the code. The victim enters the verification code without interrupting the call, and the attacker receives this code through a special control panel or Telegram bot and uses it to log in to the account.
Bot developers try to make them as attractive as possible for intruders. For example, one OTP bot offers more than a dozen features, including round-the-clock technical support, scripts in various languages, the ability to choose a female or male voice, and caller number substitution.
To be more convincing, some OTP bots can display the official phone number of the organization they are calling on behalf of on the victim's phone screen. Bots can also detect if a call has been forwarded to voicemail and end the call. Bot developers compete to include as many features as possible at an attractive price — the subscription price can reach $ 420 per week.
In addition to OTP bots, fraudsters also use multi-purpose phishing kits to intercept one-time passwords in real time. These kits mimic the websites of banks, payment systems, online stores, cloud services, delivery services, crypto exchanges, and email services, requesting victims ' personal data, including usernames, passwords, 2FA codes, bank card numbers, CVV codes, and even dates of birth.
In a multi-stage phishing attack, the victim first enters their credentials on a fake site, and then, when you need to enter a one-time password for additional verification, a form for entering the code appears on the same site. After receiving an OTP, attackers can request even more confidential information from the victim under the pretext of confirming their personal data.
Some bots allow you to send a text message to the victim in advance with a warning about an upcoming call from an employee of a company. This is a psychological trick designed to gain a person's trust — first a promise, and then its fulfillment. An alarm message can also make you wait in suspense for a call.
Kaspersky Lab statistics show that in May 2024, their tools prevented 69,984 attempts to visit sites created using phishing kits aimed at banks. It also detected 1,262 phishing pages generated by 10 multi-purpose OTP interception kits.
The peak activity of phishing pages occurred in the first week of May and coincided with a surge in the activity of one of the sets. Experts note that scammers can get victims source data, such as usernames, passwords, and phone numbers from leaks on the Internet, on the dark market, or through phishing sites.
To protect your accounts from scammers, experts recommend:
- Don't open suspicious links directly - enter website addresses manually or use bookmarks;
- Verify that the site address is correct before entering your credentials and use Whois to verify the registration date;
- Do not use or enter one-time passwords during phone calls;
- Use reliable antivirus solutions that block phishing pages.
Representatives of the cybersecurity industry urge users to be vigilant and follow the basic rules of digital hygiene, so as not to become victims of fraudsters using OTP bots and phishing kits to steal personal data and bypass two-factor authentication.
