When two-factor authentication is useless

When two-factor authentication is useless

Anonymous

Two-factor authentication (2FA) with the use of one-time passwords (OTPs) is now often seen as a cure-all against phishing, social engineering, account theft, and other cyber-maladies. By requesting an OTP at login, the service in question provides an additional protective layer of user verification. The code can be generated in a special app directly on the user’s device, although, sadly, few people bother to install and configure an authenticator app. Therefore, sites usually send a verification code in the form of a text, email, push notification, IM message, or even voice call.

Valid for a limited time, this code enhances security significantly. But a magic bullet it ain’t: even with 2FA, personal accounts remain vulnerable to OTP bots — automated software that tricks users into revealing their OTPs through social engineering.

To find out what role these bots play in phishing and how they work, read on…

How OTP bots work

Controlled either through a control panel in a web browser or through Telegram, these bots impersonate legitimate organizations such as banks to trick the victim into disclosing a sent OTP. Here’s how it unfolds:

  1. Having obtained the victim’s login credentials — including password (see below for this is done) — the scammer logs into the victim’s account and is asked to enter an OTP.
  2. The victim receives the OTP on their phone.
  3. The OTP bot calls the victim and, using a pre-recorded social engineering script, asks them to enter the received code.
  4. The unsuspecting victim keys in the code right there on their phone during the call.
  5. The code is relayed to the attacker’s Telegram bot.
  6. The scammer gains access to the victim’s account.

The key function of the OTP bot is to call the victim, and the success of the scam hinges on how persuasive the bot is: OTPs have a short lifespan, so the chances of obtaining a valid code during a phone call are much higher than any other way. That’s why OTP bots offer numerous options for fine-tuning the call parameters.

List of OTP bot features

This OTP bot boasts over a dozen features: ready-made and customized scripts in multiple languages, 12 operation modes, and even 24/7 tech support

OTP bots are a business, so to get started, scammers buy a subscription in crypto costing the equivalent of up to $420 per week. They then feed the bot with the victim’s name, number, and banking details, and select the organization they want to impersonate.

Telegram bot menu for capturing OTPs

The user-friendly bot menu is accessible even to scammers with no programming skills

For plausibility, the scammers can activate the spoofing function by specifying the phone number that the call appears to come from, which is displayed on the victim’s phone. They can also customize the language, and even the voice of the bot. All voices are AI-generated, so, for example, the OTP bot can “speak” English with an Indian accent, or Castilian Spanish. If a call gets forwarded to voicemail, the bot knows to hang up. And to make sure everything is configured correctly, the fraudsters can check the OTP bot settings by making a call to their own test number before commencing an attack.

The victim needs to believe that the call is legitimate, so, before dialing the number, some OTP bots can send a text message warning about the upcoming call. This lulls the target’s vigilance since at first glance there’s nothing suspicious: you get a text notification from the “bank” about an upcoming call, and a few minutes later they do call — so it can’t possibly be a scam. But it is.

During a call, some bots may request not only an OTP, but other data as well, such as bank card number and expiry date, security code or PIN, date of birth, document details, and so on.

For a deeper dive into the inner workings of OTP bots, check out our report on Securelist.

Not by bot alone

While OTP bots are effective tools for bypassing 2FA, they’re utterly useless without the victim’s personal data. To gain account access, attackers need at least the victim’s login, phone number and password. But the more information they have on the target (full name, date of birth, address, email, bank card details), the better (for them). This data can be obtained in several ways:

  • On the dark web. Hackers regularly put up databases for sale on the dark web, allowing scammers to buy login credentials — including passwords, bank card numbers, and other data. They may not be very fresh, but most users, alas, don’t change their passwords for years, and other details stay relevant for even longer. Incidentally, Kaspersky Premium promptly notifies you of any data breaches involving your phone number or email address, while Kaspersky Password Manager reports password compromise incidents.
  • From open-source intelligence. Sometimes databases get leaked to the public on the “normal” web, but due to media coverage they quickly grow outdated. For example, the standard practice of a company on discovering a customer data breach is to reset the passwords for all leaked accounts and prompt users to create a new password at the next login.
  • Through a phishing attack. This method has an undeniable advantage over others — the victim’s data is guaranteed to be up-to-date because phishing can take place in real time.

Phishing kits (phishkits) are tools that allow scammers to automatically create convincing fake websites to harvest personal data. They save time and let cybercriminals collect all the user information they need in a single attack (in which case OTP bots are just one part of a phishing attack).

For example, a multi-stage phishing attack might go like this: the victim receives a message supposedly from a bank, store, or other organization, urging them to update their personal account data. Attached to this message is a phishing link. The expectation is that upon landing on a site that’s almost identical to the original, the victim will enter — and the phishers will steal — their login credentials. And the attackers will use these straight away to log in to the victim’s real account.

If the account is 2FA-protected, the scammers issue a command to the phishing kit control panel to display an OTP entry page on the phishing site. When the victim enters the code, the phishers get full access to the real account, allowing them, for example, to drain bank accounts.

But it doesn’t end there. Scammers take the opportunity to extract as much personal information as possible, pressuring the user to “confirm their credentials” as a mandatory requirement. Through the control panel, the attackers can request email address, bank card number, and other sensitive data in real time. This information can be used to attack other accounts of the victim. For example, they could attempt to access the victim’s mailbox with the phished password — after all, people often reuse the same password for many if not all their accounts! Once they get access to email, the attackers can really go to town: for example, change the mailbox password and after a brief analysis of mailbox content request a password reset for all other accounts linked to this address.

Options for requesting additional data in the phishing kit control panel

Options for requesting additional data in the phishing kit control panel

How to keep your accounts safe

  • Always use Kaspersky Premium to automatically scan for data leaks affecting your accounts that are linked to email addresses and phone numbers — both yours and your family’s. If a breach is detected, follow the app’s advice for mitigation (at the very least, change your password right away).
  • If you suddenly receive an OTP, be wary. Someone might be trying to hack you. For details on what to do in this case, see our instructions.
  • Create strong and unique passwords for all your accounts with Kaspersky Password Manager. Scammers can’t attack you with OTP bots unless they know your password, so generate complex passwords and store them securely.
  • If you receive a message with a link to enter personal data or an OTP, double-check the URL. A favorite trick of scammers is to direct you to a phishing site by substituting a couple of characters in the address bar. Always take a moment to verify that you’re on a legitimate site before entering any sensitive data. By the way, our protection blocks all phishing redirection attempts.
  • Never share your OTPs with anyone or enter them on your phone keypad during a call. Remember that legitimate employees of banks, stores, or services, or even law enforcement officers will never ask for your OTP.
  • Stay ahead of the game. Subscribe to our blog to make your life in cyberspace more secure.