New: underground trade of bots that steal your 2FA codes. Bot places convincing automated call to target. Victim enters code, gets fed to hacker instantly. Dramatically lowers the barrier of entry for bypassing 2FA, no social engineering skills neededhttps://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …
-
Show this thread
-
Here is audio of one of the one time password (OTP) bots. We asked someone selling one to demo it for us on our number. Now hackers don't even need social engineering skills; just buy a bot for a few hundred dollarshttps://soundcloud.com/user-233140213/otp-bot-call-audio …
1 reply 15 retweets 42 likesShow this thread -
“The bot is great for people who don’t have social engineering skills,” one OTP bot seller said. Not everyone is “comfortable and persuasive on the phone you see.” https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/3x3IVfcEAr
2 replies 5 retweets 30 likesShow this thread -
These bots are not just for SMS-based 2FA. Can work for app-based too such as Google Authenticator. Seen bots that target Amazon, PayPal, Apple Pay, Venmo, Bank of America, Chase, etc https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/8B3L4OvjfE
3 replies 12 retweets 40 likesShow this thread -
The trade of these bots seems to be rapidly expanding. Some research earlier in the year, but we found a bunch more bots now. Person who sells bots says they're getting more popular. We saw thousands of people in bot Telegram channels https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/Bmt7ZWUhu1
1 reply 3 retweets 17 likesShow this thread -
The bots are super simple to use. Enter the target's number, and the platform you're trying to break into. Bot handles the rest and then gives you the code too. Here's what it looks like https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/eGMxVEttmZ
1 reply 6 retweets 30 likesShow this thread -
The calls from the bot are persuasive. Someone is trying to use your PayPal account, please verify you didn't send that money. Enter the code we just texted you (at same time, hacker triggers a legit 2FA code from PayPal). Sense of urgency likely effective https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/bUUCoet9S3
1 reply 16 retweets 34 likesShow this thread -
As for how they work, the bots use either Telegram or Discord. On the backend are sites like Twilio, which can send automated messages and calls. Twilio confirmed it is seeing OTP bots on its platform and taking them down https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/bHilU0Qvqy
2 replies 7 retweets 24 likesShow this thread -
The ecosystem of these OTP bots is already pretty varied. Contacted one in around August, it went dark response, but now points to another similar bot. https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/r3w05Nh4nk
1 reply 3 retweets 22 likesShow this thread -
Piece includes video of one of the bots in action. Very easy for anyone to use, now essentially any level of skill fraudster can try to bypass 2FA. Raises Qs on whether services need to do more than SMS/app 2FA https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo …pic.twitter.com/YOK8aNTMHf
4 replies 12 retweets 31 likesShow this thread
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.