Bots are phishing for your MFA codes
Multi-factor Authentication (MFA) codes are being targeted by hackers. We explained the importance of MFA as an extra layer of security for your accounts in a previous blog post. Now hackers are attempting to circumvent that layer using bot services. One bot service known as OTP Agency used a web-based bot to trick victims into sending it their one-time passwords. The bot calls the person and tells them that there has been unauthorized activity on their account. Then it asks them to enter a code generated in their phone’s authenticator app and the code is sent back to the hacker.
OTP Agency has been taken offline but it’s been replaced by new bot services looking to cash in. The relatively high success rate has made these services profitable for the bot creators and the hackers. This process only works if the hacker has already at least obtained the victims login credentials, phone number, and name. Some services require the hacker to have even more information on the victim, such as social security number and date of birth.
The rise of these bot services is still alarming because it shows a flaw in how services use MFA. MFA requires information from at least two factors: something you have, something you know, or something you are. Most services only ask for two things you know (password and authentication code) which makes it easier two find ways around MFA. If you don’t want to fall victim to these types of attacks you should never provide information to callers that you did not initiate contact with. Another good idea is to check if you can change your second MFA factor to something you have (cellphone, key file, token), or something you are (fingerprint, face scan). This should increase the difficulty for attackers trying to gain access to your accounts.