Cybercriminals bypassing two-factor authentication through Telegram

News / Cybercriminals bypassing two-factor authentication through Telegram

Cybercriminals bypassing two-factor authentication through Telegram

Bot services on messaging provider Telegram are being used to steal one-time passwords (OTP) used in two-factor verification to access accounts online. 

Many companies now use two-factor authentication for their services to improve security for their customers and users. Consequently, it was likely only a matter of time before cybercriminals developed ways to try to circumvent these protocols. 

Researchers Intel 471 have observed the operation of these services on Telegram, which they say have only been in operation since June, with them either operating via a Telegram bot or providing support for customers via a Telegram channel. 

OTPs are often used by banks and other services that provide access to valuable information. Intel 471 say they have seen an ‘uptick’ in services on the cybercrime underground that allow attackers to gain access to the codes. 

“Over the past few months, we’ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator,” they explained. 

Some services also enable the interception of OTPs on popular social media platforms or other financial services, providing email phishing and ‘SIM swapping’ capabilities. 

In the various support channels provided alongside these bots, users share the successes of their exploits, often acquiring thousands of pounds from their victims. These services appear to be yet another example of the burgeoning Cybercrime as a Service (CaaS) market. 

The different bots available 

The researchers cited several bots they observed which appeared to be extremely successful in their goal. ‘SMSRanger’ for example, had a very intuitive interface, utilising simple slash commands to cycle through the different ‘modes’ that will target specific banks or other services such as PayPal, Apple Pay or Google Pay. Once a target’s phone number is entered, the bot does the rest of the work. 

Users claimed that this particular bot has a success rate of 80 percent if the victim answered the call and the full information provided was accurate. 

Another bot, ‘BloodOTPbot’ aimed to acquire the OTP code sent via SMS. Bank representatives are impersonated, and social engineering techniques are utilised to obtain a code. The bot texts the attacker the OTP once the victim receives it and enters it on their phone’s keyboard. 

Summary 

These bots, like many other CaaS tools, are worryingly easy to use by threat actors. The user only needs to purchase the bot, obtain a victim’s phone number and click a few buttons. 

They have shown that some forms of 2FA are by no means impenetrable. “While SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards,” comment Intel 471.  

The bots are yet another example of how threat actors are taking advantage of Telegram as an easy way of conducting their business. As the Financial Times said earlier this month, Telegram is emerging as a new dark web for criminals.

How secure is

your business?

Security test
How secure is

your business?

Security test