Skip to content
  • Home
  • Emerging Technology & News
  • Computer Help
  • Privacy and Security
  • Reimage Windows Repair
The Reimage Blog
Menu
  • Home
  • Emerging Technology & News
  • Computer Help
  • Privacy and Security
  • Reimage Windows Repair
Facebook Twitter
Home  /  Privacy and Security  /  Cybercriminals use automated bot to bypass 2FA authentication at wide scale
PostedinPrivacy and Security Posted on June 10, 2022

Cybercriminals use automated bot to bypass 2FA authentication at wide scale

Posted By Matthew.England

Cybercriminals are bypassing two-factor authentication using fraudulent online bot services automating phone calls, targeting multiple countries. Read more about how to protect from this threat.

Single-factor authentication should not be used anymore

Single factor authentication has been the standard for many years on Internet-facing services, but it clearly lacks security. Should an attacker get the needed credentials to access such a service, let’s say an email, he will be able to access all the data if no additional protection exists after the log-in step. Single-factor authentication was added by the Cybersecurity and Infrastructure Security Agency in their list of bad practices in August 2021.

The most common way to add security to it is to add a second layer of authentication (two-factor authentication), generally a one-time password which can be received on a smartphone via SMS or in authentication applications like Google Authenticator or Duo Security.

2FA can still be bypassed

While 2FA drastically increases the security of Internet services, it can still be bypassed by some methods. One such method is to compromise the phone of the victim in order to steal the 2FA information and use it to successfully login to a 2FA-enabled service. Escobar malware is one example of such malware.

Another method consists of using social engineering tricks to entice the user themselves to provide the 2FA code to the attacker. In that case, the attacker generally pretends to be someone with a legitimate interest in the account, like a banking company employer or an employee from the IT security staff. Once the attacker gets the 2FA code, he can quietly log in using it together with the credentials he already owns, impersonating the user.

This method is tricky for some cybercriminals for different reasons. First, they need to use a secure way to give the phone call so that an investigation would not lead directly back to them. Then, they need to interact personally with the target on the phone. Some threat actors might not be good at playing an actor role on the phone or might even not speak the same language of their target. This is where new technologies like interactive voice response systems come handy, saving the cybercriminal from having to speak himself to the targeted person.

Bot technique for intercepting OTP codes

Cyble has exposed different bots used by cybercriminals to bypass 2FA by intercepting the one-time password of their targets. For all these systems, the technique is always the same once the cybercriminal has registered and paid for the fraudulent service (Figure A).

Figure A

Image: Cyble. Bot-based spoofing attack cycle.

First, the attacker goes to the Internet-facing service he wants to access and provides the victims credentials that they obtained previously. At the same time, the attacker selects the relevant mode for the targeted system, and enters the victim’s mobile number and bank or service name into the bot. The bot then starts a call impersonating the bank or service using IVR and asks for the one-time password. Once the code is provided by the victim to the bot, the attacker receives it and can illegally access the compromised service.

Different bot services available

SMSranger is a Telegram-based bot. It seems very popular amongst cybercriminals, and provides services in the United Kingdom, France, Spain, Germany, Italy and Colombia, according to Cyble. The subscription for the service is $399/month or $2,800 for lifetime use.

“SMSranger bot featured modes specifically targeting retail banking, PayPal, Apple Pay, email users, mobile carrier consumers and customer services,” Cyble said. “The customer services mode allegedly allowed fraudsters to connect to a victim via Peer-to-Peer encrypted voice call, provided options to hold the call with music in the background and send messages during the call.”

OTP BOSS is another of those fraudulent services, costing$1,200/month . This service is capable of targeting people in the United States, Canada, United Kingdom, France, Spain, Germany, Italy and Colombia, and more recently added Australia, Singapore, Malaysia and Belgium (Figure B).

Figure B

Image: Cyble. On the left: Service conditions. Middle and right: Bot capturing OTP codes.

According to the research, the threat actors operating the OTP BOSS bot are also themselves highly involved in the monetization of counterfeit bank checks, compromised accounts and payment cards.

PizzaOTP is yet another service, at $350/month, which can target users in the United States, India, Canada, United Kingdom, Australia, Germany, France, Italy, Brazil, Spain, Portugal, Israel, Austria, Switzerland and Pakistan.

Several other services exist and have existed, but many were shut down suddenly in 2021, likely due to law enforcement operations. Similar services also exist on the Discord platform, with more possibly  on instant messaging platforms.

How to protect yourself from this threat

This threat is only effective if the attacker is already in possession of the first channel of authentication. Most of the time, this will be valid credential such as a username and password.

In case the attacker has already obtained this credential, it is advised to never share any sensitive information on any incoming IVR call that is not self-initiated. Should such a call arrive, it could mean that the first channel of authentication is already owned by the attacker, and therefore it is strongly advised to immediately change it.

It is also advised to raise awareness on such fraud, especially by making all users aware that no banking company or any other online service will ever ask for the user’s OTP.

Finally, it is highly recommended to keep all software and operating systems up to date in order to avoid any initial compromise of credentials by attackers who would exploit a common vulnerability.

Source: https://www.techrepublic.com/article/cybercriminals-automated-bot-bypass-2fa/
Credits to
Cedric Pernet of Trend Micro
Cover Photo: Image: buravleva_stock/Adobe Stock

Tags: Security
Share on Facebook Share on Twitter
Previous Article
Microsoft’s new ‘autopatch’ service for Windows PC just took another step forwards
Next Article
Google Workspace Review

About Author

Matthew.England

Related Posts

  • Royal Mail’s ‘Cyber Incident’ Turns Out to Be Ransomware

    January 13, 2023
  • People are already trying to get ChatGPT to write malware

    January 9, 2023
  • Hardware drivers approved by Microsoft used in ransomware attacks

    December 14, 2022
Scan Now

Categories

  • Business
  • Computer Help
  • Emerging Technology & News
  • Privacy and Security
  • Reviews

Reviews

Reimage Social

Security

Popular Posts

  • PCWorld calls Reimage “A Fantastic Repair Utility “ July 26, 2011 Reviews
  • 4 Ways to Keep the Ghouls & Goblins Away From Your PC October 26, 2010 Archive
  • The PC Key to Happiness – A Properly Maintained OS September 2, 2010 Archive
  • Google says hacked websites were attacking iPhones for years September 12, 2019 Privacy and Security

Random Posts

  • Anti-Virus Programs Only Do Half the Job August 18, 2010 Archive
  • The recession is here October 7, 2008 Archive
  • Study of home routers shows many unpatched and affected by vulnerabilities July 7, 2020 Privacy and Security
  • How to make Google Docs 😊: The easy way to add emoji without copy and paste August 17, 2020 Computer Help
© Copyright 2019
We use cookies to ensure that we give you the best experience on our website.Ok