SeedSpark Blogs | Business Growth Services in Charlotte, N.C.

Bots Are Stealing MFA Codes and Accessing Accounts - The New Cyber Threat in 2021

Written by Samuel Adams | 11/03/2021

Cybersecurity has quickly evolved over the last decade. From simple pin numbers and passwords to more complex password requirements and even passphrases, users around the world have constantly upped the ante in an effort to fight back against a nearly constant stream of attacks coming from every angle. Multi-factor authentication, or MFA, has been the gold standard of account security. MFA improves account security by requiring a login confirmation from a secondary device, making remote attacks and unregistered access nearly impossible - until now. 

A new type of social engineering attack is being used to trick users into handing over access to their accounts. In traditional social engineering strategies, bad actors contact users directly, pretending to be from a reputable company in an attempt to convince the user into sharing their login information or other sensitive data. New bot networks are taking humans out of the equation, using convincing "robocall" messages that are supposedly from popular companies that trick users into handing over their account access. These bots, known as one-time password (OTP) bots are posing a major threat to accounts around the world. Here's how they work:

  1. Bad actor attempts a login, requesting an MFA code that is sent to the user's device. 
  2. An automated bot calls the user, requesting the MFA code.
  3. A convinced user enters the MFA code, which is then entered by the bot.
  4. The user's account is now compromised.

News of this attack comes from Vice reporter Joseph Cox, who shares that these convincing bots have tapped into user accounts from Amazon, Coinbase, PayPal, and more, all with relative ease because of how convincing the ploy is. Whether the MFA code is sent via phone, text, or third-party app, the only way to combat this type of strategy so far is to educate users and spread awareness of the issue. 

While traditional phishing attacks are dangerous enough, these bot attacks are even more dangerous. These attacks are scalable, requiring no social engineering skills from the attacker, and they can be very convincing. Below is a call recorded by Cox that shares what a scam call could sound like.

 

Amazon, Chase Bank, Coinbase, and more have publicly acknowledged the issue, letting users know that automated bots will never contact them and ask for personal information. It's clear that these new attacks are here to stay, with Motherboard finding that this type of attack has surged in popularity throughout 2021 in online hacking groups because of its simplicity, ease, and efficacy. 

While there is no one-stop solution that provides complete security, there are several steps that users can take to protect their data online. Always use a unique password on each account, preferably created through a password generator and managed through a password management platform like Last Pass (a team that we partner with for our password management services.) Remember that professional institutions will never ask for private information over the phone; if you have a customer service issue or would like to get in touch with a company it's best to contact them directly through their website's contact page. It's also important to stay up to date on the latest attacks to understand the telltale signs so that you're aware of the situation when one happens - it's not a matter of if, but when.

SeedSpark partners with small- and medium-sized businesses to deliver technology solutions that meet today's needs while helping them prepare for tomorrow. We've partnered with SentinelOne to offer AI-powered cybersecurity for our clients, providing tools that help protect against today's top cybersecurity threats as they happen. Contact our team today to learn more about SeedSpark Cybersecurity for small businesses.