Meet the New Type of Cyber Attack Targeting MFA Codes

What do Facebook, Yahoo, AOL, and LinkedIn all have in common? They’ve all been the victims of massive data breaches that have left the login credentials of millions of users out in the open, ready to be picked off by cybercriminals. When a database of this information is found (or even sold to a buyer) online, anything is possible if the password hasn’t been changed.

That’s where one-time password bots come in. OTP bots work around accounts with multi-factor authentication enabled, using a new social engineering strategy to trick users into sharing their codes and handing over access to their accounts. Here’s how it works:

Schedule your free
30-minute cybersecurity assessment.

1. Bad actor attempts a login, requesting an MFA code that is sent to the user’s device.

Once leaked data is found online, a bot attempts to log in to the account. If successful, the bot submits a request for an MFA code that pings the user’s device.

2. An automated bot calls the user, requesting the MFA code.

The bot places a call as soon as the request is sent to the user, claiming to be an automated messaging system associated with the company. The bot claims that the account has been compromised and the user must share their MFA code to confirm their identity and decline this “fake login attempt.”

3. A convinced user enters the MFA code, which is then entered by the bot.

If the user isn’t aware of the scam and shares their information, the bot finishes the call and uses the MFA code to gain access to the account and its data.

4. The user’s account is now compromised.

One-time password (OTP) bots are growing in popularity among online hacking groups because of their ease of use and convincing nature. These bots have tapped into user accounts from Amazon, Coinbase, PayPal, and more, all with relative ease because of how convincing the ploy is. Whether the MFA code is sent via phone, text, or third-party app, the only currently available way to combat this type of strategy so far is to educate users and spread awareness of the issue.

SeedSpark is constantly monitoring the cybersecurity landscape, identifying threats to keep our clients informed and protected in today’s digital landscape. We’ve has partnered with LastPass to deliver a simpler way for our clients to manage their password libraries. Complete the form to download the free SeedSpark x LastPass Benefits Guide, sharing valuable password security information and benefits of the service that add security while making your workflow a breeze.

Schedule your free
30-minute cybersecurity assessment.