Two-factor authentication (2FA) is one of the simplest methods for users to protect their online privacy. Consequently, cybercriminals have started attempting to bypass this protection. Underground forums are rife with services that enable attackers to circumvent OTP tokens. 

How does it work?

The services commenced in June and operate either via Telegram bots or offer customer support via Telegram channels. The bots are used to automatically call targets as a part of a phishing scam and lure them to giving up their OTP codes. Other bots are, moreover, targeting social media users in SIM swapping and phishing attempts.  

Bots of interest

Intel 471 researchers discovered two bots of concern - BloodOTPbot and SMSRanger. The former is SMS-based and can be leveraged to create automatic calls impersonating bank employees. The latter is used to target specific services such as Google Pay, PayPal, and Apple Pay, as well as a wireless carrier. 
  • Another bot, dubbed SMS Buster, has been spotted and requires a bit more effort as compared to the other two. 
  • This bot allows attackers to conceal a call by mimicking legitimate contacts from a particular bank. 
  • Attackers used SMS Buster to target eight Canadian-based banks. 

What else?

  • Telegram has become a favorite platform among threat actors because of the benefits provided by it.  
  • In Austria, a Telegram bot was used to create fake vaccine certificates for free. These fake certificates were also sold in Brazil, Australia, the U.S., the U.K, Ireland, Finland, and Portugal, among other countries. 

The bottom line

These latest attacks leveraging Telegram bots display that even 2FA is not free of threats. While OTP services are commendable, cybercriminals have social-engineered their way around these services. It is time to switch to other security measures rather than relying on phone call- or text-based OTPs.

Cyware Publisher