The alarm was raised by an investigation carried out by Motherboard. The example is a scam that arises from a voice call with an automatic message that warns of a hypothetical attempted fraudulent use of the account PayPal. The recorded voice asks for an identity verification by entering a code to block the attempted fraud, but in reality it is the call itself that is the attempted fraud.

The verification made by the technicians of Motherboard it helps to understand the technique used for these new scam attempts. The recorded voice says: “To protect your account, enter the code we sent to your mobile device.” After entering the received six-digit string, the entry continues: “Thank you, your account has been protected and this request has been blocked” referring precisely to the imaginary attempted scam. He then concludes: “Don’t worry if a payment has been debited from your account – we will refund it within 24-48 hours. Your reference ID is 1549926. You can now hang up “.

In this case, the scammer used a type of bot that induces victims to communicate their multi-factor authentication codes (two factor authentication – 2FA) or one-time password (one time password – OTP) allowing them access. For now, these bots seem to mainly target PayPal, Amazon, Coinbase and some banks. This method is more subtle than the classic scammer who pretends to be the bank on the phone to get the access codes delivered. By now many people, also thanks to the information that is made, are able to recognize this attempt classic of scam.

The recording of the bot in action made by Motherboard.

How does the scam work in practice?

The hacker in this case they work on several levels. To log into an account, they need the victim’s username or e-mail address and password. This first set of data may have been the subject of a previous breach or always bought on the black market. In the event that one of these accounts also has two-factor authentication here is where the malicious bots come into play.

The mechanism requires the hacker to target a platform target specifies on which the user victim have an active and real account. The hacker starts the bot that makes the automatic call and asks the victim to enter the control code he has just received from the platform Target. The hacker is actually making the login attempt himself with the illegally obtained credentials, simultaneously activating the sending of the notification with the legitimate control code from the platform Target on the phone of the victim. In reality, the hacker will use that code legitimate to access the user’s account, ed it is the user who communicates it to the hacker by inserting it in the conversation with the bot.

“Cybercriminals are constantly looking for new ways to scam people and this OTP / 2FA Code Theft Bot is just another example of scammers getting creative. This would convince many unsuspecting victims to hand over their OTP / 2FA codes and the scammer doesn’t even need to be a social engineering expert, they can just use this Bot to attempt the account takeover. “ says Rachel Tobac, CEO of the cybersecurity firm Social Proof Security, in an email sent to Motherboard after reviewing the audio files of these calls. Be aware that these bots could also be used to obtain codes generated by a smartphone app with multi-factor authentication. The principle is essentially the same: to trick the user into giving him a code legitimate to hackers.

A growing black market

These bots can be purchased online for a few hundred dollars. With them, unfortunately, it’s easier to bypass multi-factor authentication, and probably all online services will have to start thinking about new security measures. Unfortunately, this type of bot is becoming increasingly popular through some groups as well Telegram dedicated to them. For example, some bot vendors have even charged promotional pricing to attract more “customers”. SMSranger, one of the most active at the moment according to Motherboard, has launched a timed offer (1 month) to use the single bot for $ 540 or lifetime access for $ 2,750. It is also proposed as an alternative when other groups of this type are closed, with promotions dedicated precisely to exiles.

The black market for these bots is particularly active and only correct and prompt information can help users reduce successful scam attempts.