New form of phishing attack on the rise

Two-factor authentication has become a standard security feature in cybersecurity. It requires users to verify their identity with a second authentication step, typically a one-time password (OTP) sent via text message, email, or authentication app.

This extra layer of security is meant to protect users’ accounts even if their passwords are stolen. However, scammers have used sophisticated methods to trick users into revealing these OTPs, allowing them to bypass 2FA protections, via OTP bots.

OTP Bot is a sophisticated tool used by fraudsters to intercept OTP codes through social engineering attacks. Attackers often try to steal victims' login credentials using methods such as phishing or exploiting data vulnerabilities to steal information.

They then log into the victim’s account, triggering the OTP code to be sent to the victim’s phone. Next, the OTP bot automatically calls the victim, impersonating an employee of a trusted organization, using a pre-programmed conversation script to convince the victim to reveal the OTP code. Finally, the attacker receives the OTP code through the bot and uses it to gain unauthorized access to the victim’s account.

Fraudsters prefer voice calls over text messages because victims tend to respond more quickly to this method. Accordingly, OTP bots will simulate the tone and urgency of a human call to create a sense of trust and persuasion.

To use an OTP bot, the scammer must first steal the victim’s login credentials. They often use phishing websites that are designed to look exactly like legitimate login pages for banks, email services, or other online accounts. When the victim enters their username and password, the scammer automatically collects this information instantly (in real time).

According to Kaspersky statistics, from March 1 to May 31, 2024, their security solutions prevented 653,088 visits to websites created by phishing toolkits targeting banks.

Data stolen from these sites is often used in OTP bot attacks. During the same period, the cybersecurity firm also detected 4,721 phishing sites created by toolkits that were designed to bypass two-factor authentication in real time.

Solution

While 2FA is an important security measure, it is not a silver bullet. To protect users from these sophisticated scams, cybersecurity experts recommend:

- Avoid clicking on links in suspicious email messages. If you need to log into your account at any organization, type the exact website address or use a bookmark.

- Make sure the website address is correct and free of typos. You can use the Whois tool to check the website registration information. If the website was recently registered, it is likely a scam.

- Never provide OTP codes over the phone, no matter how convincing the caller seems. Banks and other reputable organizations never ask users to read or enter OTP codes over the phone to verify their identity.