PRESSR: Kaspersky exposes advanced phishing techniques to bypass two-factor authentication

Kaspersky has uncovered a sophisticated evolution of phishing techniques used by cybercriminals to bypass two-factor authentication (2FA), a crucial security measure designed to protect online accounts. Despite the widespread adoption of 2FA by many websites and its mandatory implementation by numerous organizations, attackers have developed advanced methods, combining phishing with automated OTP bots to deceive users and gain unauthorized access to their accounts.

Two-factor authentication (2FA) is a security feature that has become a standard practice in online security. It requires users to verify their identity using a second form of authentication, usually a one-time password (OTP) sent via text message, email, or an authentication app. This extra layer of security is intended to protect users’ accounts even if their passwords are compromised. However, scammers have developed ways to trick users into revealing these OTPs, allowing them to bypass 2FA protections.

An OTP bot is a tool used by scammers to intercept OTPs through social engineering techniques. Attackers usually attempt to obtain the victim’s login credentials through phishing or data leaks, then log in to the victim’s account, triggering an OTP to be sent to the victim’s phone. After that, the OTP bot calls the victim, pretending to be a representative from a trusted organization, and uses a pre-scripted dialogue to persuade the victim to share the OTP. Finally, the attacker receives the OTP through the bot and uses it to gain access to the victim’s account.

Phishing site that imitates the online bank sign-in page

Scammers prefer phone calls over messages because calls increase the chances of the victim responding quickly. The bot can mimic the tone and urgency of a legitimate call, making it more convincing.

Scammers manage OTP bots through special online panels or messaging platforms such as Telegram. These bots come with various features and subscription plans. They can be customized to impersonate different organizations, use multiple languages, and even choose between male and female voices. Advanced options include phone number spoofing, which makes the caller ID appear as if it’s coming from a legitimate organization.

Before using an OTP bot, scammers need to steal the victim’s credentials. They often use phishing websites that look like legitimate login pages for banks, email services, or other online accounts. When the victim enters their username and password, the scammers capture this information in real-time.

Kaspersky’s research shows the significant impact of these phishing and OTP bot attacks. From March, 1 to May 31, 2024, the company’s products prevented 653,088 attempts at visiting sites generated by the phishing kits targeting the banking sector, the data from which is often used in attacks with OTP bots. During the same period, Kaspersky’s technology detected 4,721 phishing pages generated by the kits that are aimed at bypassing two-factor authentication in real time.

“Social engineering can be incredibly tricky, especially with the use of OTP bots that can mimic real calls from representatives of legitimate services. To stay on guard, it's crucial to remain vigilant and follow best security practices. Through continuous research and innovation, Kaspersky provides cutting-edge security solutions to safeguard digital lives,” comments Olga Svistunova, a security expert at Kaspersky.

While 2FA is an important security measure, it’s not foolproof. To protect yourself from these sophisticated scams, Kaspersky recommends:

• Avoid opening links you receive in suspicious email messages. If you need to sign in to your account with the organization, type in the address manually or use a bookmark.
• Make sure the website address is correct and contains no typos before you enter your credentials there. Use Whois to check on the website: if it was registered recently, chances are this is a scam site.
• Do not pronounce or punch in the one-time code while you're on the phone, no matter how convincing the caller sounds. Real banks and other companies never use this method to verify the identity of their clients.
• To protect the company against a wide range of threats, use solutions such as Kaspersky Next that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
• Invest in additional cybersecurity trainings for your employees, such as Kaspersky Security Awareness courses.  

Read more about OTP bots on Kaspersky Daily website.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.