Hackers have come up with new strategies of stealing two-factor authentication (2FA) codes using bots that appear authentic. In recent years, crypto exchanges have put in measures aiming to curb criminal activities on their platforms.
In many cases, users are advised to use two-factor authentication and one-time passwords (OTP) whenever they can to boost the security of their Coinbase accounts. However, previous reports have shown that hackers have come up with a strategy of stealing sensitive codes using voice bots to trick users.
These hackers can log in or make money transfers and execute other sensitive functions using the 2FA or OTP authentication codes that the users get tricked into revealing. The voice bots that are used by most hackers are sold online.
How Hackers Use Bots To Steal The OTP And 2FA Codes
Previously, hackers used to pretend to be bank executives and sometimes customer care agents to trick unsuspecting clients into sharing their login and verification information. However, they now use customizable bots that are programmed to place automated calls and request temporary passwords to access accounts.
These bots are made to sound like you are chatting or talking to a legitimate customer care agent. They then ask you to key in the 2FA/OTP during the call. After you enter these codes, the information reaches the hackers who can readily log into the account and execute all the transactions they want.
A good example was demonstrated in an incident where a user got a call from PayPal’s fraud prevention unit. In the fake call, someone wanted to spend money by accessing a victim’s PayPal account. In the call, the bot said:
“To secure your account, please enter the code we have sent your mobile device now.”
After the code was entered, it added:
“Thank you, your account has been secured and this request has been blocked.”
The same voice also stated:
“Don’t worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up.”
That call was made by a customizable bot that tricked the user into giving their one-time codes for authentication. The hackers used a bot that quickly streamlines the process for the fraudsters to trick their victims into giving up the multi-factor authentication codes or OTPs for all types of services. It lets them log into accounts or authorize cash transfers. Such bots attack Amazon, Apple Pay, Coinbase, PayPal, and other specified banks.
While fooling the victims into giving out a login or authentication code in the past would mostly involve the hacker directly conversing with their victim, maybe pretending to be the victim’s bank in a phone call, bots lower the barriers of entry for bypassing multi-factor authentication.
When these bots place the automated call and urge the victim to enter a code they just got, the hacker concurrently triggers a legitimate code that is sent from the targeted platform to the victim’s phone. They might do that by entering the victim’s username and password on the website so that the victim gets a login or authorization code.
Though the script in the call might tell the victim that the code is for a single purpose, which might be blocking a cash transfer or protecting their account from illegal entry, in reality, the hacker uses the code to enter the same account themselves.
The bots harvest the targeted victim’s inputted code, send it to the bit’s interface, and then it becomes accessible for the hacker to use it to log into the account. The CEO and co-founder of cybersecurity firm SocialProof Security, Rachel Tobac, wrote in an email:
“Cybercriminals are constantly trying new ways to scam folks and this OTP/2FA code stealing bot is just another example of fraudsters getting creative. This would convince many unsuspecting victims to hand over their OTP/2FA codes and the scammer doesn’t even need to be a skilled social engineer, they can simply use this bot to attempt account takeover,”
On the other hand, the co-founder of cybersecurity company Cygenta, Jessica Barker, commented in an online chat:
“This use of OTP/2FA bots is troubling because it makes it easier for criminals to carry out their scams and it makes us more susceptible to them. We have become so much more accustomed to automated systems communicating with us, which makes this more convincing.
Add in the classic manipulation by fear-mongering and the little touches like the reference code and the need not to be worried about unauthorized payments going through, and this becomes even more persuasive.”
Such hackers also can target Coinbase and other crypto exchanges to steal money and available cryptocurrencies.
To hack into an account, the hacker will require the username or email address or phone number and password. The information can be acquired from a previous data breach. In case the user has 2FA or OTP enabled, the criminals then bring in their voice bots.
Furthermore, the thieves use these combinations of phone numbers, emails, and names to determine whether the particular user has a PayPal or Amazon account before targeting them.
To stay secure, users need to be aware of these attacks. Whenever they receive a call from any customer care asking for their personal information, it is advisable to drop the calls. Also, experts advise that users should avoid sharing OTP or 2FA codes with anyone.
In case one is worried about a possible breach of their account, they should log in and track all their transactions. It is also advisable to change email addresses to prevent such breaches. However, hackers can still find the email and target the account. Thus, always remain vigilant.
While commenting about these criminal activities, A Coinbase spokesperson said:
“Coinbase acknowledges cybercriminals, who target valuable information online, are getting more creative and persistent. That’s why we take extensive security measures to ensure our platform and customer accounts remain as safe as possible, including regularly educating our customers on using the most secure forms of 2FA available and supporting hardware security keys. Coinbase also works with industry partners and law enforcement to disrupt malicious infrastructure and attack campaigns wherever possible.”
Many sellers say that these bots can also acquire codes that are generated by any multi-factor authentication smartphone app like Google Authenticator. The process is the same, tricking the victim to hand over a code to the criminals.
Beyond services and sites like PayPal, Venmo, Amazon, and Coinbase, some of the bots are customized to attack particular banks like Chase and Bank of America. In some other cases, the users customize the automatically-read script themselves, OPTGOD777 explained.
One person working in the finance sector said:
“These are used, especially for those who use SMS […] as the two-factor authentication.”
How To Avoid These Bots Attacks
This fraud goes strongly at the 2FA code and exploits users’ fear of their accounts that are being hacked against them. In taking action they believe that they are protecting themselves, but instead, they are exposing themselves to the thieves.
A report published by Florida-based cybersecurity firm Q6 Cyber mentioned that OTP bots are causing massive losses for individuals and financial institutions. The damage is still hard to quantify since these attacks are relatively new.
The report stated:
“The bot calls are crafted in a very skillful manner, creating a sense of urgency and trust over the phone. The calls rely on fear, convincing the victims to act to ‘avoid’ fraud in their account.”
The scam succeeds because the victims are used to inserting a code for validation to authenticate account information. Experts say that users need to listen keenly since the robocalls sound legitimate. Do not pick these calls when distracted by something else.
Jessica Kelley, a Q6 Cyber analyst who helped write this report acknowledged that it is human nature to panic when you get a call saying that someone is trying to sign in to your account.
The bots showed up for sale on the Telegram messaging platform and Kelley named six channels with over 10,000 subscribers each selling bots. While there is no official estimate on the amount of crypto stolen from Coinbase and other crypto exchanges, Kelley said that the criminals brag on Telegram about how well their bots are performing.
Some of these hacker bots have netted for every user thousands or hundreds of thousands of dollars in crypto. The cost of the bots ranges from $100 per month to $4,000 for lifetime subscriptions. Kelley added:
“Before these OTP bots, a cybercriminal would have to make that call himself. They would have to call the victim and try to get them to divulge their personal identifiable information or bank account PIN or their 2FA passcode. And now, with these bots, that whole system is just automated and the scalability is that much larger.
Once the victim inputs that 2FA code, or any other information that they requested the victim put in their phone, that information gets sent to the bot. The bot then automatically sends it to the cybercriminal, who then has access to the victim’s account.”
Criminals can steal everything because, with these transactions, they can execute them one after the other until everything is drained. Experts at Microsoft insist that multi-factor authentication can help in preventing 99.9% of these hacks.
On their part, Coinbase sought to clarify this matter. A Coinbase spokesperson stated:
“Coinbase will never make unsolicited calls to its customers, and we encourage everyone to be cautious when providing information over the phone. If you receive a call from someone claiming to be from a financial institution (whether Coinbase or your bank), do not disclose any of your account details or security codes. Instead, hang up and call them back at an official phone number listed on the organization’s website.”
Coinbase has set up a phone support line to help clients, but even that has been fraught with problems.