ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

Bots Are Now Calling to Phish For Your Two-Factor-Authorization (2FA) Codes

November 25, 2021 | General Automated Threats News & Events

New Facebook Data Scraping Lawsuit Underlines the Need for Bot Mitigation

Most of us are familiar with ‘Two-Factor Authentication’ or ‘2FA’ as an additional security measure when logging in to various sites such as Google, Apple, Facebook, Microsoft, Amazon and many other popular websites and applications of every kind. The idea is that a user should, in addition to a username and password, also provide an additional code or token provided by the website or app. This code can be either sent as a ‘One-Time Password’ (OTP) via SMS or a token obtained from a mobile app such as Google/ Microsoft Authenticator and is usually valid only for a short duration such as one minute before a new token must be entered. Codes that are valid only for a short time are also known as ‘Time-Based OTPs’ (TOTP) and are commonly used when logging into various websites and apps or to approve a banking transaction.

The idea behind 2FA and OTP tokens is that even if a user’s password is breached or stolen, an attacker still cannot access the user’s account without the second factor to authenticate the log-in, which is usually obtained from an authenticator app on the account holder’s mobile or desktop device. Recently, however, crooks and fraudsters have started using a phone phishing technique that uses specialized bots sold on underground websites to make phone calls to their victims. The technique tries to pose as a security verification call from the website or app that the potential victim uses so as to trick them into providing the actual OTP or 2FA code sent by the website or app (immediately after the fraudster logs in and attempts a purchase or transaction through that portal).

How does 2FA phishing work?

Fraudsters now use specialized bots that make it far easier and quicker for them to fool their targets into providing their authentication codes or OTPs sent by the website or app in order to carry out their crimes. Using massive lists of breached and leaked log-in credentials and personal data available for sale on shady underground sites, they first correlate these personal details to the victim’s name and mobile number. They then activate the bot to ‘robo-call’ the victim from a fake Caller ID number that purports to be from the victim’s bank or payment service such as Stripe or PayPal.

These phishing bots sound just like the robotic-voiced customer service bots that most of us are used to hearing when we call our bank or other types of companies we often deal with. The phishing bot first enters the previously-obtained log-in credentials for the victim’s account into the bank or payment processing website. The bank or payment service then immediately sends an SMS OTP to the victim’s phone number (which the fraudster already obtained from prior breaches and leaks of personal data). The bot then calls the victim and plays a legitimate-sounding message stating that the account holder must complete a “security verification” by entering the OTP that the bank had just sent.

If the target is fooled and complies by entering the legitimate OTP from the bank’s text message that was triggered by the bot’s log-in attempt, the fraudster can successfully log in, take over the account, and quickly deplete the account before the victim reports the incident to the bank. In case the victim uses an authenticator app rather than getting codes via SMS, the bot requests the victim to enter the code shown in that app.

How can 2FA phishing be prevented?

Though 2FA codes have significantly helped reduce the incidence of fraud and account takeover, they are vulnerable to interception by specialized phishing bots now being sold on underground sites. When a victim gets a phone call appearing to be from the bank he or she uses and is tricked into giving up the 2FA code sent by the bank or other website, there is little chance of stopping the crime in progress.

While some enterprises now use push notification services such as Okta to verify log-in attempts, most banks and other types of businesses still do not use them. Even with such security measures, it may be possible for some victims who are unaware of recommended online security practices to be deceived by these robo-call tactics into approving the push notification from the security app on their mobile devices in response to the fake call they received from a phishing bot pretending to be from their bank or other companies.

The only certain way to prevent 2FA phishing bots is by implementing a dedicated bot management solution that accurately detects bots on a website or app in real-time and prevents the initial log-in attempt in the first place. A purpose-built bot mitigation solution can analyze hundreds of several data points to differentiate between a bot and a human, and can also leverage machine learning and artificial intelligence to detect the intention of every visitor ─ even if they are phishing bots that enter the correct log-in credentials to a website or app.

To learn more, get in touch with us at

Tags: , , , ,

Subscribe to Radware Research and Blog
Thank you for subscribing
Thanks. Sent confirmation email.

Related Content

December 8, 2021
Botnets Are Infecting Millions of Mobile Devices To Launch Bot Attacks
December 14, 2020
What is Browser Fingerprinting?
November 2, 2020
European Electronics Retailer Alza Switches to Radware Bot Manager to Secure its Sales Portal

Step Up and Take Action

Powered by Think201