[ad_1]
Dubai: The Gulf
Kaspersky has revealed significant developments in phishing techniques used by cybercriminals to undermine two-factor authentication (2FA), a key security measure designed to protect online accounts. Despite widespread adoption of 2FA by many websites and mandatory implementation by many organizations, attackers have developed advanced methods that combine phishing and one-time password bots to deceive users and gain unauthorized access to their accounts.
Two-factor authentication (2FA) is a security feature that has become a standard for online security. It essentially verifies a user’s identity using a second form of authentication, which is usually a one-time password (OTP) sent via SMS, email, or an authentication app. This extra layer of security is designed to protect user accounts even if their password is compromised. However, fraudsters have developed methods to trick users into revealing their one-time passwords and bypass two-factor authentication protection.
One-time password bots are tools used by fraudsters to intercept one-time passwords through social engineering methods. The attacker will usually try to obtain the victim’s login credentials through phishing or data breaches, then log into the victim’s account and send a one-time password to the latter’s mobile phone. The one-time password bot will then contact the victim, pretending to be a representative of a trusted organization and use a pre-written dialogue to convince the victim to share the password. Ultimately, the attacker successfully receives the password from the bot and uses it to access the victim’s account.
Example of a phishing website that mimics an online banking login page
Scammers prefer phone calls to letters because they increase the chances of a quick response from the victim. The bot can mimic the tone and urgency of a legitimate call, making it more convincing.
Scammers run one-time password bots through private online platforms or messaging services like Telegram. These bots have various features and subscription plan options and can be customized to mimic different organizations, use multiple languages, and choose between male and female voices. Advanced options include phone number spoofing to make the caller ID look like it belongs to a legitimate organization.
Before using one-time password bots, fraudsters need to steal victims’ credentials. This prompts them to use phishing sites that pretend to be legitimate login pages for banks, email services, or other online accounts. Fraudsters then collect usernames and passwords as victims enter them in real time.
Kaspersky research reveals the significant impact of phishing attacks and one-time password bot attacks. Between March 1 and May 31, 2024, the company’s products blocked 653,088 attempts to access websites created by phishing groups targeting the banking industry, whose data was used to carry out attacks using one-time password bots. During the same period, Kaspersky solutions detected another 4,721 phishing pages created by groups designed to bypass real-time two-factor authentication.
“Social engineering can be highly deceptive, especially using one-time password bots to mimic real calls from legitimate service representatives,” said Olga Svestonova, security expert at Kaspersky. “To be prepared, it’s important to stay vigilant and follow security best practices. Through continuous research and innovation, Kaspersky delivers the latest security solutions to protect your digital life.”
[ad_2]
Source link
