Vice has released a story discussing the rise in the use of phishing bots that target people’s 2FA codes. Vice was able to speak to some of the sellers on these tools in order to better understand how they work. The rapidly growing availability of the bots is prompting a lot of concern.
The bots work by phoning the target and imitating an automated security function. In Vice’s case, the bot that contacted the article’s author pretended to be a representative from Paypal. It claimed that someone was attempting to make a payment, and so needed a 2FA code to confirm that it wasn’t the account holder.
After the code was provided, the bot claimed the transaction had been blocked. In reality, the code was sent directly to the hacker, giving them access to the account. While this type of phishing isn’t new, the pivotal role of bots in it is.
Normally a phisher would have to talk to a target directly, and that alone could give it away if the phisher fumbles. The bot on the other hand can deliver its lines smoothly. As the article points out, many people are now used to dealing with automated systems, and so may let their guard down.
Phishing is the leading cause of data breaches, accounting for about 90% of them. The fact that the tools needed to perform them are being refined and pushed to a mass market is concerning.
Phishing as a Service
In conversation with one of the sellers of these bots, Vice was able to see the bot in action. The seller proved that the code typed into the phone was sent to them. The sellers speak quite candidly of the tools. While articles of this nature are important to alert the public, the sellers perhaps see them as a chance to advertise.
One of the sellers contacted by Vice went dark. Another, quick on the draw, offered a discount to any of that seller’s existing customers if they switch over. It appears these tools make use of software similar to help desk software. These types of sites are trying to clamp down on the use of this tech.
Phishing is scary because it’s not an attack on hardware or software. Password managers and other tools can protect credentials, but if a person is tricked into giving up their info, very little can be done. Phishing is a social engineering attack. Rather than breaking in directly, attackers get targets to let them in.
It seems a “boom” of this tech is underway. Hopefully, infosec and governments can get ahead of the tools, and find ways to curb their use.