You’ll figure this out pretty quick. If they’ve got the email address you use for an account (found on the Dark Web) they can often find a password from a data breach (also available on the Dark Web). If that works but you have 2FA turned on, or the system blocks them because the login location is suspicious, it sends a code to you. Bingo! You’re cooked. And it’s relatively cheap, and very clever.
BY:
Salvatore Nicci
Technology Analyst / Reporter
PROJECT COUNSEL MEDIA
8 November 2021 (Paris, France) – It’s pretty simple and it works like this. A call comes in from PayPal’s fraud prevention system. Someone has tried to use your PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer. The voice says:
“In order to secure your account, please enter the code we have sent your mobile device now” [PayPal sometimes texts users a code in order to protect their account].
After you enter a string of six digits, the voice says:
“Thank you, your account has been secured and this request has been blocked.
Don’t worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up”.
But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks.
Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim’s bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.
The websites Motherboard and Vice contacted someone who knows how all of this works (and has Dark Web connections) and he was able to contact one of the sellers of these bots online to “demo” the capability by sending the automated call to a Motherboard reporter’s phone. After entering a code, the seller showed their bot had received the same code. He said:
“The bot is great for people who don’t have social engineering skills. Not everyone is comfortable and persuasive on the phone, you see.”
With these bots that cost a few hundred dollars, anyone can start getting around multi-factor authentication, a security measure that many members of the public may assume is largely secure. The bots’ existence and increased popularity raises questions on whether online services need to offer more phishing-resistant forms of authentication to protect users.
To break into an account, a hacker will need a victim’s username or email address and password. They can source tons of username or email address or password data from data breach troves published on the Dark Web, credentials many people reuse across the internet. Or they could buy a set of “bank logs” – login details – from a spammer. It is amazing how many people do not realize they may have tons of their data out there.
NOTE: we recently bought a trove of this information off the Dark Net, information concerning a large number of our members in the legaltech and mobile tech communities who had not realised how much of their data was “out there” and how vulnerable they were. We’ve contacted each of them.
Many of these victims have multi-factor authentication enabled, which is where the bots come in. Either on Telegram or Discord, the hacker enters their target’s phone number and the platform the hacker wants to break into. In the background, the bot then places the automated call to the target. The bots use sites similar to Twilio, a communications company for businesses that lets customers send messages and make calls, although not all of the bots use Twilio specifically. Said one source:
“Twilio has been cracking down on OTP bots accounts. Twilio is aware of OTP bots using its platform. The company has a team in place who is well aware of and is actively monitoring this issue. Once they become aware of an instance, they investigate immediately and take action, including shutting down the number and the account being used if need be”.
When the bot places the automated call and asks the victim to enter a code they just received, the hacker will simultaneously trigger a legitimate code to be sent from the targeted platform to the victim’s phone. They may do this by entering the victim’s username and password on the site so the victim receives a login or authorization code. Although the script in the call may tell the victim that the code is for one purpose – perhaps blocking a cash transfer or protecting their account from unauthorized entry – in reality the hacker is using the code to enter the account themselves.
The bot then takes the victim’s inputted code, feeds it back to the bot’s interface, and the hacker can then use the code to login. As a reporter on Vice noted:
“Cyber criminals are constantly trying new ways to scam folks and this OTP/2FA code stealing bot is just another example of fraudsters getting creative. This would convince many unsuspecting victims to hand over their OTP/2FA codes and the scammer doesn’t even need to be a skilled social engineer, they can simply use this bot to attempt account takeover”.
Jessica Barker, co-founder of cybersecurity company Cygenta, has done a major study on this and said:
“This use of OTP/2FA bots is troubling, because it makes it easier for criminals to carry out their scams and it makes us more susceptible to them. We have become so much more accustomed to automated systems communicating with us, which makes this more convincing. Add in the classic manipulation by fear mongering and the little touches like the reference code and the need not to be worried about unauthorised payments going through, and this becomes even more persuasive.”
Multiple sellers told Motherboard that the bots could also be used to obtain codes generated by a multi-factor authentication smartphone app, such as Google Authenticator. The principle is essentially the same – tricking the target to hand over a code to the hackers. Beyond sites or services such as Amazon, PayPal, and Venmo, some of the bots also target specific banks, such as Bank of America and Chase. With others, users can customize the automatically-read script themselves.
Also, two sources (who asked for anonymity) who work on security in the finance sector noted:
1. “these bots are especially good on those who reply on SMS two-factor authentication”
2. “scammers are targeting consumers from many banks. We urge all consumers never to share their banking password or a one-time code their bank sends them. We do not work like that. Bank employees won’t call, text or email consumers asking for this info … but crooks will”
A Coinbase spokesperson told Motherboard in a statement that
“Coinbase acknowledges cybercriminals, who target valuable information online, are getting more creative and persistent. That’s why we take extensive security measures to ensure our platform and customer accounts remain as safe as possible, including regularly educating our customers on using the most secure forms of 2FA available and supporting hardware security keys. Coinbase also works with industry partners and law enforcement to disrupt malicious infrastructure and attack campaigns wherever possible.”
Amazon told Vice it was aware of phishing bots:
“We take any attempts to misuse our brand seriously. We do not send unsolicited messages asking for sensitive personal information or payment outside of our website, and maintain a webpage to assist customers in identifying a fake email or phone calls. Any customer that receives a questionable email, call or text from a person impersonating an Amazon employee should report them to Amazon customer service. Amazon investigates these complaints and uses them to protect customers and hold the bad actors accountable.”
Bank of America and PayPal and other banks have not responded to requests for comment on whether each was aware of OTP bots targeting them specifically. The anonymous sources noted above said it’s due to their failure to get a full grip over the threat. One told Motherboard:
“A while ago, like 10 months ago, there weren’t that many on the market and if there was it was pretty expensive. Recently they have gotten more popular, and cheaper to run. And it’s becoming a kind of Bots-As-A-Service thing. Teams design the bot themselves, and then sell them on the Dark Web”.
In the various Dark Web Telegram groups, apparent users of the bots share their successes including screenshots of the bots in action. Some members also look to collaborate with one another to try and target more people. A Telegram channel where SMSranger, one of the seemingly more popular bots, pushes updates and announcements about their product includes some 5,000 subscribers. A second channel where members of the SMSranger “community” can chat among themselves has over 2,800 subscribers, with over 500 members online at multiple times of the day.
Some bot sellers have recently run promotional prices, presumably to bring in more customers. SMSranger ran a limited time offer of one month access to the bot costing $540, and lifetime access for $2750. A day later, the bot was back to full price of $600 and $4000.
