The automated bots are highly successful because they effectively emulate legitimate service providers. Credit: Magdalena Petrova Two-factor authentication (2FA) has been widely adopted by online services over the past several years and turning it on is probably the best thing users can do for their online account security. Faced with this additional hurdle that prevents them from exploiting stolen passwords, cybercriminals have had to adapt, too, and come up with innovative ways to extract one-time use authentication codes from users.According to a new report from cybercrime intelligence firm Intel 471, the latest development in 2FA bypassing involves the use of robocalls with interactive messages that are meant to trick users into handing over their one-time passwords (OTPs) in real-time as attackers are trying to access their accounts. All of this is automated and controlled by using Telegram-based bots, much like teams in organizations use Slack bots to automate workflows.“All the services Intel 471 has observed, which have only been in operation since June, either operate via a Telegram bot or provide support for customers via a Telegram channel,” the researchers said. “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts.” Social engineering automated by botsAt their core these are social engineering attacks with a high level of automation. In the past an attacker would manually call a victim to get their information or the customer support line of a bank or service provider to gain unauthorized access to an account; this has now transitioned to scripted calls performed by bots based on commands given in a Telegram chat. The services seen by Intel 471 have predefined “modes” or scripts to impersonate various well-known banks, as well online payment services like Google Pay, Apple Pay, PayPal and mobile carriers. Since they began looking into this, the researchers have seen one service called SMS Buster that can make calls in both English and French being used to illegally access accounts at eight different Canada-based banks.Another service called SMSRanger claims a success rate of around 80% if the victim answers the call and the attacker supplied the bot with accurate and updated personal information about the victims. Also known as “fullz” in cybercrime circles, these data sets can be acquired from various forums and underground markets. Bots effectively emulate victims’ service providersThe high success rate is somewhat surprising. Normally with 2FA or OTP schemes used for account authentication or transaction authorization in the banking space, the user might be contacted by an automated service via a phone call to be given their unique one-time use code. However, these cybercrime services do it in reverse: They contact the victims to ask them to input the OTPs they just received through SMS or some other means from their legitimate service provider.This should be an unusual request and process for most users that should raise red flags. However, these bots do a good job of masquerading as the victim’s service provider. Most have phone number spoofing capabilities and the attacker can specify the phone number he wants the bot to use when calling the victim. This will usually be a number associated with the victim’s bank or carrier.If the victims’ phones display a caller ID that the victims trust and recognize, they’re more likely to comply with the request. In addition, the robot will have personal information about them that the attacker loaded, adding another layer of credibility.In addition to robocalling, some of these services can also automate attacks via email or SMS and offer phishing panels that target social media accounts like Facebook, Instagram and Snapchat; financial services like PayPal and Venmo; or investment apps like Robinhood or Coinbase. Cybercriminals pay monthly fees that range from tens to hundreds of dollars to use the bots, which is a small price considering that every successful attack can result in the theft of thousands of dollars.Robust 2FA forms offer more protection“Overall, the bots show that some forms of two-factor authentication can have their own security risks,” the Intel 471 researchers said. “While SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards. More robust forms of 2FA—including Time-Based One Time Password (TOTP) codes from authentication apps, push-notification-based codes, or a FIDO security key—provide a greater degree of security than SMS or phone-call-based options.”Users should be wary of any phone calls where the caller, whether a robot or a human, asks them for personal, financial or authentication information. With 2FA being widely deployed for SaaS and other accounts provided by companies to employees, these services represent a risk for organizations as well, not just consumers. Related content feature The rise in CISO job dissatisfaction – what’s wrong and how can it be fixed? Frustration, stress, and increased liability are only a few of the off-putting realities giving CISOs cold feet. It doesn’t have to be that way, experts say. By Mary Pratt Apr 24, 2024 11 mins CSO and CISO Careers IT Leadership opinion The Assumed Breach conundrum Assumed Breach is the third but often overlooked principle of zero trust. When we talk about adopting a “not if, but when” attitude to security, are we merely paying lip service or do we really believe and internalise it? By Steven Sim Apr 23, 2024 4 mins Zero Trust Security news Authentication failure blamed for Change Healthcare ransomware attack Absence of multi-factor authentication reportedly left a remote access application exposed. By John Leyden Apr 23, 2024 5 mins Ransomware Cyberattacks news Russian state-sponsored hacker used GooseEgg malware to steal Windows credentials A now-patched Windows Print Spooler flaw was used by Forest Blizzard to drop the privilege-elevating malware for credential stealing and persistence. By Shweta Sharma Apr 23, 2024 3 mins Malware Windows Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe