Single-factor authentication should not be used anymore
Single factor authentication has been the standard for many years on Internet-facing services, but it clearly lacks security. Should an attacker get the needed credentials to access such a service, let’s say an email, he will be able to access all the data if no additional protection exists after the log-in step. Single-factor authentication was added by the Cybersecurity and Infrastructure Security Agency in their list of bad practices in August 2021.
The most common way to add security to it is to add a second layer of authentication (two-factor authentication), generally a one-time password which can be received on a smartphone via SMS or in authentication applications like Google Authenticator or Duo Security.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
2FA can still be bypassed
While 2FA drastically increases the security of Internet services, it can still be bypassed by some methods. One such method is to compromise the phone of the victim in order to steal the 2FA information and use it to successfully login to a 2FA-enabled service. Escobar malware is one example of such malware.
Another method consists of using social engineering tricks to entice the user themselves to provide the 2FA code to the attacker. In that case, the attacker generally pretends to be someone with a legitimate interest in the account, like a banking company employer or an employee from the IT security staff. Once the attacker gets the 2FA code, he can quietly log in using it together with the credentials he already owns, impersonating the user.
This method is tricky for some cybercriminals for different reasons. First, they need to use a secure way to give the phone call so that an investigation would not lead directly back to them. Then, they need to interact personally with the target on the phone. Some threat actors might not be good at playing an actor role on the phone or might even not speak the same language of their target. This is where new technologies like interactive voice response systems come handy, saving the cybercriminal from having to speak himself to the targeted person.
Bot technique for intercepting OTP codes
Cyble has exposed different bots used by cybercriminals to bypass 2FA by intercepting the one-time password of their targets. For all these systems, the technique is always the same once the cybercriminal has registered and paid for the fraudulent service (Figure A).
First, the attacker goes to the Internet-facing service he wants to access and provides the victims credentials that they obtained previously. At the same time, the attacker selects the relevant mode for the targeted system, and enters the victim’s mobile number and bank or service name into the bot. The bot then starts a call impersonating the bank or service using IVR and asks for the one-time password. Once the code is provided by the victim to the bot, the attacker receives it and can illegally access the compromised service.
Different bot services available
SMSranger is a Telegram-based bot. It seems very popular amongst cybercriminals, and provides services in the United Kingdom, France, Spain, Germany, Italy and Colombia, according to Cyble. The subscription for the service is $399/month or $2,800 for lifetime use.
“SMSranger bot featured modes specifically targeting retail banking, PayPal, Apple Pay, email users, mobile carrier consumers and customer services,” Cyble said. “The customer services mode allegedly allowed fraudsters to connect to a victim via Peer-to-Peer encrypted voice call, provided options to hold the call with music in the background and send messages during the call.”
OTP BOSS is another of those fraudulent services, costing$1,200/month . This service is capable of targeting people in the United States, Canada, United Kingdom, France, Spain, Germany, Italy and Colombia, and more recently added Australia, Singapore, Malaysia and Belgium (Figure B).
According to the research, the threat actors operating the OTP BOSS bot are also themselves highly involved in the monetization of counterfeit bank checks, compromised accounts and payment cards.
PizzaOTP is yet another service, at $350/month, which can target users in the United States, India, Canada, United Kingdom, Australia, Germany, France, Italy, Brazil, Spain, Portugal, Israel, Austria, Switzerland and Pakistan.
Several other services exist and have existed, but many were shut down suddenly in 2021, likely due to law enforcement operations. Similar services also exist on the Discord platform, with more possibly on instant messaging platforms.
How to protect yourself from this threat
This threat is only effective if the attacker is already in possession of the first channel of authentication. Most of the time, this will be valid credential such as a username and password.
In case the attacker has already obtained this credential, it is advised to never share any sensitive information on any incoming IVR call that is not self-initiated. Should such a call arrive, it could mean that the first channel of authentication is already owned by the attacker, and therefore it is strongly advised to immediately change it.
It is also advised to raise awareness on such fraud, especially by making all users aware that no banking company or any other online service will ever ask for the user’s OTP.
Finally, it is highly recommended to keep all software and operating systems up to date in order to avoid any initial compromise of credentials by attackers who would exploit a common vulnerability.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.