Two-factor authentication is intended to add extra security layers to protect user accounts even if their passwords are compromised. However, fraudsters have developed a way to trick users, so they can bypass 2FA protection. — Photo courtesy of thanhtra.com.vn
Kaspersky has uncovered sophisticated phishing techniques used by cybercriminals to bypass two-factor authentication (2FA), a crucial security measure designed to protect online accounts.
2FA has become a standard practice in online security, requiring users to verify their identity using a second form of authentication, usually a one-time password (OTP) sent via text message, email or an authentication app.
This extra layer of security is intended to protect users’ accounts even if their passwords are compromised. However, scammers have developed ways to trick users into revealing these OTPs, allowing them to bypass 2FA protections.
An OTP bot is a tool used by scammers to intercept OTPs through social engineering techniques. Attackers usually attempt to obtain the victim’s login credentials through phishing or data leaks, then log in to the victim’s account, triggering an OTP to be sent to the victim’s phone. After that, the OTP bot calls the victim, pretending to be a representative from a trusted organisation, and uses a pre-scripted dialogue to persuade the victim to share the OTP.
Finally, the attacker receives the OTP through the bot and uses it to gain access to the victim’s account.
Scammers prefer phone calls over messages because calls increase the chances of the victim responding quickly. The bot can mimic the tone and urgency of a legitimate call, making it more convincing.
Scammers manage OTP bots through special online panels or messaging platforms such as Telegram. The bots come with various features and subscription plans.
They can be customised to impersonate different organisations, use multiple languages and even choose between male and female voices.
Advanced options include phone number spoofing, which makes the caller ID appear as if it is coming from a legitimate organisation.
Before using an OTP bot, scammers need to steal the victim’s credentials. They often use phishing websites that look like legitimate login pages of banks, email services or other online accounts.
When the victim enters their username and password, the scammers capture this information in real-time.
Kaspersky’s research shows the significant impact of these phishing and OTP bot attacks.
From March 1 to May 31 this year the company’s products prevented 653,088 attempts to visit sites generated by the phishing kits targeting the banking sector, whose data is often used in attacks with OTP bots
They also detected 4,721 phishing pages generated by the kits that are aimed at bypassing 2FA in real-time.
Olga Svistunova, a security expert at Kaspersky, said: “Social engineering can be incredibly tricky, especially with the use of OTP bots that can mimic real calls from representatives of legitimate services.
“To stay on guard, it is crucial to remain vigilant and follow best security practices.”
To protect them from these sophisticated scams, Kaspersky recommends users should avoid opening links they receive in suspicious email messages, make sure the website address is correct and contains no typos before they enter their credentials there and do not pronounce or punch in the one-time code while they are on the phone, no matter how convincing the caller sounds.
Real banks and other companies never use this method to verify the identity of their clients. — VNS