In recent years, two-factor authentication has become widely used on online platforms. This security mechanism consists of adding a second authentication factor to access your accounts. In addition to the traditional password, you will need to provide a code delivered by SMS, by email or through an application such as Google Authenticator. The mechanism protects your account even if your password has been compromised.
This additional layer of protection has been adopted by many Internet users. A 2021 Cisco study indicates that nearly 80% of users use two-factor authentication to protect themselves from cyberattacks. Unsurprisingly, authentication is most often configured for accounts deemed the most sensitive, such as bank accounts. In 85% of cases, users choose to receive a code by SMS. For Cisco, two-factor authentication is an effective protection against “common threats”.
Also read: Why a wave of data leaks threatens to hit the web
The starting point: compromised data
Unfortunately, cybercriminals have found a way to bypass two-factor authentication. As a Kaspersky investigation reveals, hackers have gradually developed phishing tactics to bypass this “standard in online security”. In short, the scammers imagined “methods to encourage users to reveal” the authentication code generally delivered by SMS. With this code and the compromised credentials upstream, hackers can access the account.
Firstly, the attackers will take your credentials. Pirates can draw from a leaked database on the Web. Note that experts have also noted an explosion in data leaks during the first months of the year. According to a study by Surfshark, the number of data breaches increased by 435% worldwide in the space of a single quarter.
They can also steal your information themselves during a phishing attack. With the data recovered, they will attempt to connect to the targeted account, which will trigger the sending of a security code by SMS. The user will receive a code that he did not request by message.
A convincing bot to trap users
To obtain this precious code, cybercriminals will usean OTP robot (One-Time Password). This will call the victim on the telephone number which receives the connection code. Again, the telephone number could have been obtained beforehand through a data leak. The robot will pretend to be “a representative of a trusted organization”, explains Kaspersky. It will follow a script written in advance to persuade the target to communicate the security code received on their smartphone. Hackers have a wide range of different scripts at their disposal, customized as needed.
“These are the calls that scammers rely on because verification codes are only good for a limited time. And a message can go unanswered for a while”explains Kaspersky.
To lull the victims’ vigilance, robots can imitate the “tone and urgency of a legitimate appeal”, “impersonate different organizations, operate in multiple languages, and even choose between a male and female voice”. Not surprisingly, all the voices are generated by generative artificial intelligence. Cybercriminals rely heavily on AI to improve their tactics.
Entities whose identity can be stolen include banks, payment systems, online stores, cloud services, delivery services, cryptocurrency exchanges and email services. Best of all, they can even spoof an organization’s phone number. By seeing an official number on their smartphone, the user is likely to fall into the nets set by cybercriminals. According to Kaspersky, the robot will then transmit the code to the cybercriminal. With the credentials and security code, the attacker is able to log in to the targeted account.
Many OTP bots can be found on online criminal markets or Telegram channels frequented by hackers. Offered through a subscription (starting at $140 per week), these offers often have “24/7 technical support”. Moreover, configuring the robot, which often uses Telegram, is child’s play. There is no need to be a computer expert or to code anything to program the robot.
-
-
