Islamabad : Kaspersky has uncovered a sophisticated evolution of phishingtechniques used by cybercriminals to bypass two-factor authentication (2FA), acrucial security measure designed to protect online accounts. Despite thewidespread adoption of two-factor authentication by many websites and itsmandatory implementation by numerous organizations, attackers have developedadvanced methods, combining phishing with automated OTP bots to deceive usersand gain unauthorized access to their accounts.
Two-factor authentication (2FA) is a securityfeature that requires users to verify their identity using a second form ofauthentication, usually a one-time password (OTP) sent via text message, email,or an authentication app. This extra layer of security is intended to protectusers’ accounts even if their passwords are compromised. However, scammers havedeveloped ways to trick users into revealing these OTPs, allowing them tobypass 2FA protections.An OTP bot is a tool used by scammers to interceptOTPs through social engineering techniques.
Attackers usually attempt to obtainthe victim’s login credentials through phishing or data leaks, then log in tothe victim’s account, triggering an OTP to be sent to the victim’s phone. Afterthat, the OTP bot calls the victim, pretending to be a representative from atrusted organization, and uses a pre-scripted dialogue to persuade the victimto share the OTP. Finally, the attacker receives the OTP through the bot anduses it to gain access to the victim’s account.Scammers prefer phone calls over messages becausecalls increase the chances of the victim responding quickly.
The bot can mimicthe tone and urgency of a legitimate call, making it more convincing.Scammers manage OTP bots through special onlinepanels or messaging platforms such as Telegram. They can be customized toimpersonate different organizations, use multiple languages, and even choosebetween male and female voices..Scammers often use phishing websites that look likelegitimate login pages for banks, email services, or other online accounts.When the victim enters their username and password, the cybercriminals capture this information in real-time.
Kaspersky’s research shows thesignificant impact of these phishing and OTP bot attacks. From March, 1 to May31, 2024, the Kaspersky’s products prevented 653,088 attempts atvisiting sites generated by the phishingkits targeting the banking sector, the data from which is often used in attackswith OTP bots. During the same period, Kaspersky’stechnology detected 4,721 phishing pages generated by the kits that are aimed at bypassing two-factorauthentication in real time.
“Socialengineering can be incredibly tricky, especially with the use of OTP bots thatcan mimic real calls from representatives of legitimate services. To stay onguard, it’s crucial to remain vigilant and follow best security practices.Through continuous research and innovation, Kaspersky provides cutting-edgesecurity solutions to safeguard digital lives,” comments OlgaSvistunova, a security expert at Kaspersky.
While 2FA is an important security measure, it’s notfoolproof. To protect yourself from these sophisticated scams, Kaspersky recommendsavoid opening links you receive in suspicious emailmessages. If you need to sign in to your account with the organization, type inthe address manually or use a bookmark. Do not pronounce or punch in theone-time code while you’re on the phone, no matter how convincing the callersounds. Real banks and other companies never use this method to verify theidentity of their clients.
To protect the company against a wide range of threats, use solutions suchas Kaspersky Next that provide real-time protection,threat visibility, investigation and response capabilities of EDR and XDR fororganizations of any size and industry. Invest in additional cybersecurity trainingsfor your employees, such as Kaspersky Security Awareness courses.