So you think 2FA is protecting you… That’s cute

The phone rings, a voice on the other end states, “Welcome to Chase Fraud protection department, we have recently receive a charge from E Constants online retailer for $74.32. If this was not you, please press 1.” A few seconds later the phone buzzes and it’s a text message from 227895 number which is the same number you always receive the verification code from.

You quickly type it in to confirm that it is in fact you.

The voice continues:

“Thank you, your account has been secured and your request has been blocked. Please make sure you only enter your password at Chase.com. This payment has been blocked and charges have been reversed, your account will be refunded within 24-48 hours. Your reference ID is 5984371. You may now hang up.”

 Listen to how real these Bot recordings can sound

Ahhh! That was easy! I am glad that Chase Fraud department is working overtime, you think to yourself…. Unfortunately for you, you just authenticated your bank account with a 2FA allowing the hackers to  luckily log into the online banking and Zelle out all of your money from all of the linked accounts.

 

These bots can target Banks, Credit cards, Apple Pay, PayPal, GoDaddy, Amazon, Coinbase, and virtually any platform that is “secured” with 2 Factor Authentication 2FA or Multifactor Authentication MFA. The process for these bot is so streamlined that just about anyone with virtually no IT knowledge can quickly get this bot up and running. The hackers no longer have to even be fluent in English or converse with their victims on the phone to con their way in.

 

We live in a world where recorded voice calls, SMS authentications, etc., are part of every day life and we don’t think twice about it. Some of these bots are open source, with instructions on how to run them,

but if you prefer, an even more streamlined process you can pay a few hundred bucks in order to get it pre-configured with tech support behind it…. With these SMS Bypass Bot calls as a service, any wannabe hacker CAN IN FACT pull it off fairly easily, with virtually no tech background or hacking skills needed.

 

Oh but you think, “Well, where would they get the usernames and passwords  in the first place?”

Well, unfortunately for a lot of people out there that don’t use password wallets or rely on complex passwords that are easy to memorize such as, the combination of their dog’s name, followed by their birth year, (You know, the stuff that no one could possible ever find out from social media). However, to make matters worse, they use the same for their bank account as well as the online crochet sweater  boutique. Often times, websites like that have outdated version of PHP or WordPress or plugins and get their databases scrubbed and user information leaked to the dark web in large data dumps.

These data dumps normally include your favorite usernames, passwords, your name, phone number, birthdays and much more information depending on where the data was gathered from.

 

Once the hackers obtain the username and password from the database dump, they plug this into a bank website until they successfully login, and it asks them for the 2FA code. This is where the bot comes in, since now they know a working username/combo to your bank account, they plugin the victim’s phone number into the bot on Telegram or Discord and select what platform they are targeting. The bot then dials a victim while the hacker triggers the legitimate 2FA code generation on the website that is being targeted.

The phone scripts all have the same purpose, and that is to authenticate the account from unauthorized entry. In reality, the bot feeds the legitimate 2FA code that the victim inputs back to the hacker and grants them access into their account. What makes it troubling is that this Social spoofing attack can be customized for any banks and financial institutions. Because of its customizable features, it can be used to get the Multifactor authentication from Google Authenticator or Microsoft Authenticator apps.

 

Bots such as SMSranger can be found on Telegram channels with over 7,000 subscribers with hundreds joining every day. The point I am trying to make is that hackers have nothing else to do but come up with new ways to scheme people out of money. Targeting the social element is much easier and requires a lot less technical knowledge then it would take to brute force their way into the network to do harm. The only way we can stop this from happening is to keep educating and knowing that these threats are out there.

 

How can this affect your business?

Because of the nature and customization of these calls, it could easily be used to trick you into getting access into your GoDaddy account, from there, the hackers would log into your Office 365 email, setup a few email forward rules. What these rules do is they will forward all of your incoming emails into an external mailbox that hackers can see. This allows hackers to reset virtually any password you have linked to your work email and eventually gain access into your internal systems to deploy ransomware for example.

Everyone is vulnerable no matter what precautions we take. However, we help businesses develop a plan of action to first not get breached, and if the breach does occur, have a plan to mitigate this breach. If your business is located in Metro Atlanta and you are not sure if your firm’s security is up to date, AlphaCIS can perform a free network security assessment.

If you don’t have a Disaster Recovery Plan in place, we would be happy to discuss, and help prepare one as well. You can reach us by booking a quick discovery phone call with an engineer HERE. Or call us yourself at 678-619-1218.

author avatar
Dmitriy Teplinskiy
I have worked in the IT industry for 15+ years. During this time I have consulted clients in accounting and finance, manufacturing, automotive and boating, retail and everything in between. My background is in Networking and Cybersecurity