The Booming Underground Market for Bots That Steal Your 2FA Codes
-
With these bots that cost a few hundred dollars, anyone can start getting around multi-factor authentication, a security measure that many members of the public may assume is largely secure. The bots' existence and increased popularity raises questions on whether online services need to offer more phishing-resistant forms of authentication to protect users.
To break into an account, a hacker will need a victim’s username or email address and password. They might source that from a previous data breach which contains credentials many people reuse across the internet. Or they could buy a set of “bank logs”—login details—from a spammer, OPTGOD777 said. But the victim may have multi-factor authentication enabled, which is where the bots come in.
Either on Telegram or Discord, the hacker enters their target’s phone number and the platform the hacker wants to break into. In the background, the bot then places the automated call to the target. Kaneki told Motherboard that the bots use sites similar to Twilio, a communications company for businesses that lets customers send messages and make calls, although Kaneki said not all of the bots use Twilio specifically.
-
scary stuff!!
