Anonymity When 2FA Becomes Useless.

[Fixxx]

Two-factor authentication (2FA) effectively protects accounts from theft - until the user unwittingly provides a one-time password (OTP) to fraudsters. Today, two-factor authentication using one-time codes is often seen as a "cure-all" - it's believed to protect against phishing, social engineering methods and to keep all accounts secure. The one-time code is requested by the service at the moment the user logs in, serving as an additional method to verify that the account is being accessed by its rightful owner. This code can be generated in a special app directly on the user's device, but unfortunately, few people take the time to install and set up authenticator apps. Therefore, services most commonly send verification codes via SMS, email, push notifications, messaging apps or even voice calls. While this code is time-sensitive and its use significantly enhances security, it's important to remember that even with a second authentication factor, personal accounts remain potentially vulnerable to OTP bots - automated software capable of tricking users into revealing one-time passwords through social engineering techniques.

How OTP Bots Work​

These bots are controlled either through a web browser control panel or via Telegram and they trick victims into providing one-time passwords, often by simulating a call from a bank requesting the code. The scheme works as follows:

1. After obtaining the victim's credentials, the fraudster logs into their account and receives a prompt to enter the OTP code.
2. The victim receives a message on their phone containing the one-time password.
3. The OTP bot calls the victim and, using a pre-prepared script, demands that they enter the received code.
4. The victim types the code on their phone's keypad during the call.
5. The code is sent to the fraudster's Telegram bot.
6. The fraudster gains access to the victim's account.

The key function of the OTP bot is the call to the victim,and the success of the fraudsters depends on the bot's convincingness: the validity period of one-time codes is very limited and the chance of obtaining a valid code during a phone conversation is much higher. Therefore, OTP bots offer numerous features that allow for fine-tuning call parameters.

One OTP bot offers over a dozen features, including ready-made and customized scripts in various languages, twelve different operating modes and even 24/7 technical support. OTP bots are a business, so to start using one, fraudsters purchase a subscription from developers for up to $420 per week using cryptocurrency. They then input the victim's name, phone number, banking details and select the name of the organization from which the call will be made.

The bot's management menu is user-friendly and accessible, requiring no programming knowledge to navigate. To enhance credibility, the fraudster can activate a spoofing feature, specifying the outgoing number that will appear on the victim's phone. The fraudster can also choose the language of the conversation and even the bot's voice. All voices are generated using artificial intelligence, allowing the OTP bot to speak English with an Indian accent or, for example, in a Castilian Spanish dialect. If the call is redirected to voicemail, the bot can hang up. To ensure everything is set up correctly, the fraudster can first test the OTP bot by calling their own test number before targeting the victim. Cybercriminals need the victim to believe in the legitimacy of the call, so some OTP bots allow sending SMS messages to victims before dialing, warning them of an upcoming call. This lulls the victim's vigilance, as there appears to be no deception at first glance: an SMS notification "from the bank" about an upcoming call arrives, and a few minutes later, the call actually comes in - so it must be legitimate. But it's not. Some bots can request not only one-time passwords during the call but also other sensitive information, such as the card number and expiration date, PIN, date of birth and document details.

Not Just a Bot​

However, an OTP bot is merely a tool for bypassing two-factor authentication and without the victim's personal data, it's completely useless. To access someone else's account, the fraudster must know at least the current login and password, as well as the victim's phone number. The more information they have about the victim (full name, date of birth, address, email, credit card details) - the better. Fraudsters obtain this information through several methods:

1. Purchase on the Dark Web: Hackers sell vast databases where fraudsters can find login credentials, passwords, credit card numbers and other data. While these may not always be up-to-date, many users don't change their passwords for years and other information becomes outdated even more slowly.
2. Searching Open Sources: Sometimes, such databases leak into the public domain on the "clear" part of the Internet, but they usually become outdated quickly due to the significant media attention. For instance, it's standard practice for a company that discovers a data breach involving its customer's personal information to reset the passwords of all affected accounts and require users to create new passwords upon their next login.
3. Conducting Phishing Attacks: This method has a distinct advantage over the others - fraudsters can obtain 100% accurate data about the victim, as phishing can be conducted in real-time.

Fraudsters utilize phishing kits - tools that automatically create convincing phishing pages to collect data. These kits allow cybercriminals to save time and gather the information they need about a user in a single attack (with OTP bots being just one part of the phishing attack). A multi-step phishing attack might look like this: the victim receives a message purportedly from their bank, a store or any other organization, asking them to update their personal information in their account. The message includes a phishing link. The implication is that by clicking on it and being directed to a site that closely resembles the legitimate bank's website, the victim will enter their login and password, which will immediately be captured by the fraudster. If the account is protected by two-factor authentication, the fraudster can command the phishing kit's admin panel to display the OTP code entry page on the phishing site. When the victim enters the one-time code, the fraudster gains full access to the real account and can, for example, steal money from the victim's account.

However, fraudsters don't stop there - they attempt to extract as much personal information as possible, claiming that the user needs to "confirm their credentials". Through the admin panel, the fraudster can in real-time request the victim's email address, credit card number and other critical information, which can then be used to attack other accounts belonging to the victim. For instance, they might log into the victim's email account using the already known password - after all, people often use the same password across multiple services! With access to the email, they can wreak havoc: for example, they could change the email account's password and, by analyzing its contents, request password reset links for any other accounts linked to that email address.

How to Keep Your Accounts Secure​

1. Be Cautious of Unexpected One-Time Codes: If you suddenly receive a one-time code, be suspicious. You might be the target of a hacking attempt.
2. Create Strong, Unique Passwords for All Your Accounts: Fraudsters cannot use OTP bots against you if they don't know your password. Therefore, generate complex passwords and store them securely.
3. Verify URLs Before Entering Personal Data: If you receive a message with a link asking for personal information or OTP codes, ensure the URL is correct. Fraudsters often change a couple of characters in the address bar to redirect you to a similar phishing site, so take a moment to check if you are on a legitimate site before entering your login, password and OTP code.
4. Never Share One-Time Codes: Don't provide one-time codes to third parties or enter them on your phone's keypad during a call. Remember that legitimate bank employees, store representatives or law enforcement officials will never ask for your one-time password.

By following these guidelines, you can significantly reduce the risk of falling victim to OTP bots and other phishing attacks, ensuring that your accounts remain secure.