In recent months, the number of 2FA circumvention methods has grown, with bots being a popular choice.
One-time password (OTP) tokens, codes, links, biometric identifiers, or touching a physical dongle to authenticate an account owner’s identity are all examples of two-factor authentication (2FA). 2FA tokens are often provided through text message or email to a phone number or email address.
While 2FA might help safeguard accounts better than just using passwords, threat actors have quickly come up with ways to intercept OTPs, often through social engineering and malware.
Since June, several 2FA-bypassing services have been exploiting the Telegram chat service. Telegram is being used to either develop and maintain bots or as a ‘customer support’ channel host for hackers conducting these activities.
Telegram bots are used to automatically call potential phishing victims, send messages posing as bank communications, and generally try to get victims to pass over OTP codes. Other bots leverage social media users as a target for phishing and SIM-swap attacks.
A modest degree of programming is required to create bots, but it’s nothing compared to creating custom malware. The Telegram bots can be rented out in the same manner that traditional botnets do, and attacks can start with just a few clicks once the phone number of a targeted victim is provided.
SMSRanger and BloodOTPbot are two popular examples of such bots.
The UI and command configurations of SMSRanger are similar to those of the Slack collaboration platform. They can be used to target specific services like PayPal, Apple Pay, and Google Play.
The second one, BloodOTPbot, is an SMS-based bot that may also make automated calls pretending to be bank employees.
The bots demonstrate that various types of two-factor authentication can have their own set of security concerns. While SMS and phone call-based OTP services are the best, cybercriminals have developed methods to exploit the protections through social engineering.