Hackers OTP Bots Bypass 2FA

Two-factor authentication (2FA) is a security method that requires two verification steps for user access and is commonly implemented with one-time passwords (OTPs) delivered via various channels. 

To bypass 2FA, attackers leverage social engineering to trick users into revealing OTPs and utilize tools to automate these manipulations, including OTP bots and phishing kit administration panels. 

EHA

OTP bots are malicious software designed to steal one-time passwords (OTPs) used for two-factor authentication (2FA), where attackers first obtain a victim’s login credentials and use them to trigger an OTP on the victim’s phone.

Free Webinar on 3 Security Trends to Maximize MSP Growth -> Register For Free

A list of features offered by a certain OTP bot

The bot then calls the victim with a social engineering script to trick them into revealing the OTP over the phone and the attacker receives the OTP through a control panel and uses it to gain access to the victim’s account. 

Available OTP bot subscription plans

The OTP bot utilizes a subscription service with various tiers, paid in cryptocurrency. After acquiring victim credentials, the scammer sets up a call by selecting an impersonation category (bank, email service, etc.) and manually entering the specific organization name, victim’s name, and phone number. 

Optionally, the last four digits of the victim’s card can be added for social engineering, and advanced call customization options are available. 

Advanced call options

It is designed to bypass two-factor authentication and is configured for a phishing attack. The attacker can specify the organization’s phone number to be displayed on the victim’s caller ID and choose a language and voice (including regional variations) for the bot to use during the call. 

The bot can also detect voicemail and hang up automatically. To further customize the attack, the attacker can import their own scripts to impersonate specific organizations not included in the bot’s pre-built options. 

The option to specify the organization’s official phone number

Scammers often rely on phishing scams to steal a victim’s login credentials by tricking users into entering their login information on fake websites that mimic legitimate ones. 

Phishing attacks can target various personal details, and scammers may exploit this by harvesting additional data, like email addresses and passwords, during the initial login attempt. 

A sign-in form that imitates an online bank

This stolen information, combined with an automated one-time password (OTP) bypass bot, can grant scammers access to multiple accounts linked to the victim’s email or phone number, potentially causing significant damage. 

Phishing site that imitates the online bank sign-in page

Phishing kits are evolving to steal one-time passwords (OTPs) in real-time, bypassing 2FA, where scammers use an admin panel to control a phishing website that mimics a bank login, and once a victim enters their credentials, the scammer can see them through the panel and use them to log in to the real bank website. 

The phishing site then prompts for the OTP, which the scammer can steal and use to complete the login and potentially steal the victim’s money, as SecureList identified over 1200 phishing pages and nearly 70,000 attempted visits to these sites in May 2024.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.