Nov 04, 2021 23:00:00

Voice bots for breaking through Amazon and PayPal's 'two-step verification' are being sold to hackers

In many online services, a one-time password is sent to a smartphone, etc. as a security function to keep the account safe when the account is logged in from a new device or an unusual operation is performed.

Two-step verification to verify is implemented. Many people may think that their account is safe because they have set up two-step verification, but in the online underground market, 'bots to break through two-step verification' are expanding. Motherboard of overseas media reports that it is.

The Booming Underground Market for Bots That Steal Your 2FA Codes
https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo

iPhone users warned answering call can hack your bank – how to spot it
https://www.thesun.co.uk/tech/16620850/phone-call-scam-automated-message/

A new bot for breaking through two-step verification, which is widespread among hackers, is to 'spoof a payment service or an automatic voice service of a bank to call a target and skillfully guide them to ask for a one-time password.' .. Motherboard contacted a person named 'Kaneki' who sells bots in the underground market and got a demo of the bot's phone call.

By playing the embedded voice below, you can hear the automatic voice asking for the one-time password from the target.


The bot claims to be 'PayPal's fraud prevention system' and tells the target account that 'there was a $ 58.25 bill' and if you want to block this bill, send it to your device for identity verification. You will be asked to enter the code you have entered. As the word says, when you enter the one-time password sent by PayPal to your target smartphone, an automatic voice will respond, 'Thank you. Your account has been protected and this request has been blocked.' After that, he said that he wouldn't have to worry because the automatic voice will be refunded within 24-48 hours even if there is a request that he does not remember for a while, and he ended the conversation by giving the 'reference ID' about the series of matters.

It looks like a situation where 'the account was about to be abused, but it was saved thanks to two-step verification', but the whole process is a hacker who hears the 'real one-time password' sent to the target device. Is a strategy to break through 2-step verification.

First, the hacker needs to get the target username, email address, password, and so on. This information can be purchased from a broker that sells data leaked from companies in the black market, or can be obtained through spammers.

However, if your target has two-step verification set up, you'll be prompted to enter a one-time password that will be sent to your device, etc., in addition to your account password. When a hacker who purchased a voice bot enters the target phone number and platform name on Telegram or Discord, the bot uses a programmatic service to automatically call customers to make a call in the background and say, 'One-time password. Will be sent, so please enter it exactly. '

Hackers attempt to log in or purchase the platform in a timely manner, causing the one-time password to be sent to the target device. Since the one-time password sent by the platform itself is genuine, the target will enter the one-time password exactly as the auto-voice says, without any doubt at a high rate. In this way, the real one-time password obtained by the bot is passed on to the hacker, and the two-step verification is broken.

OTPGOD777, who promotes voice bots, told Motherboard, 'This bot is perfect for people who don't have knowledge of social engineering.' With this bot, which can be purchased for hundreds of dollars a month, you can easily break through two-step verification without having to be so skilled, significantly lowering the barriers to entry for hackers. Buyers can customize the voice of the bot by themselves, and it is possible to target not only PayPal but also Apple Pay, Amazon, Coinbase, various banks and so on.

Kaneki told Motherboard that the bot uses

Twilio and similar services to make automatic calls. When Motherboard contacted Twilio, Cris Paden, director of corporate communications, said, 'Twilio is cracking down on one-time password bots (OTP bots),' and has a team to monitor bots. comment. 'As soon as we notice the bot, we investigate it and take steps such as shutting down the numbers and accounts used if necessary,' he said.

'Cybercriminals are constantly trying new ways to trick people, and this one-time password / two-step verification code fraud bot gives fraudsters creativity,' said Rachel Tobac, CEO of cybersecurity firm Social Proof Security. 'It's another example of how it works,' said Jessica Barker, co-founder of cybersecurity firm Cygenta. 'We've become accustomed to automated systems communicating with us. This method is more compelling. In addition to the classic method of manipulating with fear, you can add a reference code or a little trick to tell you that you don't have to worry about fraudulent payments. It's even more convincing. '

Voice bots for breaking through 2-step verification were reported in February 2021, but it is said that the number is gradually increasing after that. Kaneki told Motherboard, '(Voice bots) weren't very popular on the market 10 months ago, and if they were, they were quite expensive. Recently, they've become more popular.'

One of the most popular voice bots, SMSranger, updates and announces its products on the Telegram channel, which has about 5,000 users, and the sub-channels that community members interact with also have more than 2,800 subscribers. Motherboard says. The regular price of SMSranger is 600 dollars (about 68,500 yen) for monthly access rights, 4000 dollars (about 457,000 yen) for indefinite access rights, and sometimes discount services are offered. That is.