{"id":19428,"date":"2021-09-30T21:21:17","date_gmt":"2021-09-30T21:21:17","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19428"},"modified":"2021-09-30T21:21:17","modified_gmt":"2021-09-30T21:21:17","slug":"attackers-use-bots-to-circumvent-one-time-passwords","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/attackers-use-bots-to-circumvent-one-time-passwords\/","title":{"rendered":"Attackers Use Bots to Circumvent Some Two-Factor Authentication Systems"},"content":{"rendered":"

Underground services are cropping up that are designed to enable bad actors to intercept one-time passwords (OTPs), which are widely used in two-factor authentication<\/a> programs whose purpose is to better protect customers\u2019 online accounts.<\/p>\n

By using the services, cybercriminals can gain access to victims\u2019 accounts to steal money. Security expert Chris Krebs wrote in a blog post<\/a> this week that he discovered such a service \u2013 called OPT Agency \u2013 earlier this year, noting that the service was shut down soon after his report was published.<\/p>\n

However, researchers at threat intelligence firm Intel 471 in a report<\/a> this week said they have seen a rise in these services, enabling attackers to target everything from bank accounts to social media platforms. The services have been operational since June and either operate through a bot on the cloud-based instant messaging system Telegram or by providing support to bad actors via a Telegram channel.<\/p>\n

\u201cOver the past few months, we\u2019ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator,\u201d the Intel 471 researchers wrote. \u201cSome services also target other popular social media platforms or financial services, providing email phishing<\/a> and SIM swapping capabilities.\u201d<\/p>\n

OTP Interception Services Emerge<\/h2>\n

They added that in the Telegram support channels, bad actors using the services \u201coften share their success while using the bot, often walking away with thousands of dollars from victim accounts.\u201d<\/p>\n

A wide range of websites are requiring users to not only type in a password<\/a> to get onto the site, but also to type in a numeric code or OTP token that is sent via a text message. In addition, Google (with Google Authenticator) and Authy offer mobile apps that generate such numbers and are used by the website and user.<\/p>\n

The goal is to strengthen the security of the websites and their customer accounts by adding another layer of protection by requiring the code or OTP token.<\/p>\n

However, Intel 471 researchers found that a number of new OTP interception services have emerged over the last few months, with slight differences in the way they work but all with a common endgame. They\u2019re also part of a larger trend toward offering services \u2013 such as ransomware-as-a-service<\/a> (RaaS) \u2013 that make it easier for even low-skilled cybercriminals to launch attacks.<\/p>\n

\u201cThe ease by which attackers can use these bots cannot be understated,\u201d they wrote. \u201cWhile there\u2019s some programming ability needed to create the bots, a bot user only needs to spend money to access the bot, obtain a phone number for a target, and then click a few buttons.\u201d<\/p>\n

Stealing Credentials<\/h2>\n

Despite the relative newness of the services, the news of their rise didn\u2019t surprise Brian Uffelman, vice president and security evangelist at cybersecurity firm PerimeterX.<\/p>\n

“Cybercriminals are finding every means possible to leverage weaknesses in human behavior for financial gain,\u201d Uffelman told eSecurity Planet<\/em>. \u201cStolen credentials, like OTPs, can be used for credential stuffing and ATO [account takeover] attacks, which can steal value, whether that is in the form of gift cards, credit card numbers, loyalty points or false purchases. ATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire. It is much simpler and lucrative to walk in through the front door of a digital business with valid, stolen credentials than to look for holes in an organization\u2019s cybersecurity defenses.\u201d<\/p>\n

How OTP Bots Work<\/h2>\n

Intel 471 researchers said one bot, called SMSRanger, is easy for bad actors to use. They pay for access to the bot and can use it by entering commands similar to those used on Slack\u2019s workforce collaboration tool. Users can enter a simple slash command to enable different scripts aimed at services \u2013 called \u201cmodes\u201d \u2013 that can target specific bands, a wireless carrier and payment apps like PayPal, Apple Pay and Google Pay.<\/p>\n

\u201cOnce a target\u2019s phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted,\u201d the researchers wrote. \u201cUsers claim that SMSRanger has an efficacy rate of about 80% if the victim answered the call and the full information (fullz) the user provided was accurate and updated.\u201d<\/p>\n

\"OTP<\/p>\n

BloodOTPbot, another bot, includes the ability to send victims a fake OTP code through SMS. To do this, an attacker needs to spoof the victim\u2019s phone number and impersonate a bank or company representative and then the bot would try to call the victim, using social engineering techniques to get ahold of a verification code.<\/p>\n

\u201cThe [bot\u2019s] operator would receive a notification from the bot during the call specifying when to request the OTP during the authentication process,\u201d they wrote. \u201cThe bot would text the code to the operator once the victim received the OTP and entered it on the phone\u2019s keyboard.\u201d<\/p>\n

Attackers using the bot need to pay a $300 monthly fee to obtain the authentication code required to operate the bot. At the same time, they also could pay another $20 to $100 for live phishing panels that target accounts on social media networks like Facebook, Instagram and Snapchat, as well as financial services like PayPal and Venmo, investment app Robinhood and the Coinbase cryptocurrency marketplace.<\/p>\n

A third bot, dubbed SMS Buster, is more difficult for bad actors to use. Users are given options for disguising a call so it appears to be a real contact from a specific bank even as attackers dial from any phone number. The caller then follows a script to get the victim to provide sensitive information, like an ATM PIN, OTP and a card verification value (CVV). That can then be sent to a person’s Telegram account.<\/p>\n

SMS Buster has been used against Canadian victims, giving bad actors the ability to launch an attack in English or French. So far, Intel 471 researchers found accounts illegally accessed at eight Canadian-based banks.<\/p>\n

Phishing, Social Engineering are Still Problems<\/h2>\n

The methods of attack may be relatively new, but they rely on the time-tested practice of social engineering, according to Nicolas Malbranche, senior product manager at ID management company Axiad.<\/p>\n

“At the core of this issue is phishing<\/a>, showing yet again how phishing threats are on the rise,\u201d Malbranche told eSecurity Planet<\/em>. \u201cEven if your organization is up to date with the latest anti-malware software<\/a>, it\u2019s impossible to protect your employees from every potential business email compromise like this. That’s why it’s important to prioritize security training<\/a> for all your employees and teach them best practices on how to spot and report phishing. Without employee education, issues like this will continue to impact businesses.”<\/p>\n

The bot services also illustrate how some forms of two-factor authentication can still carry risks, the Intel 471 researchers wrote.<\/p>\n

\u201cWhile SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards,\u201d they wrote. \u201cMore robust forms of 2FA \u2014 including Time-Based One Time Password (TOTP) codes from authentication apps, push-notification-based codes or a FIDO security key \u2014 provide a greater degree of security than SMS or phone-call-based options.\u201d<\/p>\n

Further reading:<\/p>\n

Best Ransomware Removal Tools<\/a><\/p>\n

Best Antivirus Software<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n