Cybercriminals have found a new way to bypass two-factor authentication (2FA). They use AI-powered bots to obtain security codes sent to users and gain access to their accounts.
L’two-factor authentication (2FA) has become a security standard on many online platforms. It adds an extra layer of protection for user accounts. In addition to the usual password, they must provide a security code sent by SMSemail, or via an application.
This method has proven effective in protecting accounts even if the password is compromised. However, phishing campaigns, such as the one that targeted Instagram users under the pretext of copyright violations, and massive data leaks exposing 2FA codes, show that this method is not infallible.
Hackers use robots that can imitate voices using AI to steal your login code
Unfortunately, cybercriminals have developed a new technique to circumvent this protection. Kaspersky investigation reveals hackers are using sophisticated phishing tactics to encourage users to reveal their security code. With account credentials, which they often obtain by exploiting leaked databases on the internet or through phishing attacks and 2FA code, they can gain access to the targeted account.
To obtain the security code, cybercriminals use an OTP robot (One-Time Password). This calls the victim on the telephone number which receives the connection code. By posing as a representative of a trusted organization, it follows a predefined script to persuade the target to provide the security code. These latter can imitate tone and urgency from a legitimate call, impersonate organizations like banks, payment services, and even choose between an AI-generated male and female voice.
On the same subject – Securing your Google account is now much simpler than before
OTP bots are available on the black market on the Internet and Telegram channels frequented by hackers. They are offered via a subscription, at ridiculous prices and they even come with 24/7 technical support. But the most worrying part of all this is that their configuration is simple and does not require advanced computer skills.
Source: Kaspersky