phone-red Call us about IT Support in London 020 7572 0000

The bot scams seeking to steal your MFA codes

Byte-size Bulletin by Rachael Brown in Security, News on Nov 19, 2021



There is a booming underground market for bots designed to steal your Multi-factor authentication (MFA) codes.

These bots have helped hackers effortlessly break into PayPal, Amazon and Coinbase accounts. They can even be used to access your official bank account.

So, how do the bots work?

Well, to break into an account, a hacker needs your username/ email address and a password. They can easily source this from a previous data breach you are probably unaware of that exposed your credentials. They could alternatively buy a set of “bank logs”, aka login details, from a spammer.

But then they find you have MFA enabled on your account. This is a roadblock in their plan, which these bots help to bypass.

The hacker can enter their targets phone number and the platform they want to break into on a remote calling service like Telegram. Then the bot will place an automated call to the target. The bot will respond with an automated message that tells the victim their account has been compromised, or is attempting to cancel an unauthorised transaction.

The bot will then request a code sent to your device to secure the account. At the same time, the hacker will trigger a legitimate code to be sent from the targeted platform to the victim’s phone.

This follows the authentication procedure that PayPal and Amazon both have, so is highly believable. While the script in the call may tell the victim that the code is for one purpose, like blocking a cash transfer or protecting their account from unauthorised entry, in reality the hacker is using the code to enter the account themselves.

The bot then takes the victim’s inputted code and feeds it back to it’s interface, allowing the hacker to use the code to login.

These bots can be used to obtain the codes generated by a MFA app on your phone, like Microsoft or Google Authenticator. Removing the last and arguably most critical layer of security on your precious online accounts. These bots are not only dangerous because they can be used to bypass MFA, but also because they essentially automate the scamming process.

Previously, for a hacker to convince you to give over MFA codes, they would have to pretend to be your bank or Paypal in a phone call to deceive you. Removing this step, dramatically lowers the barrier of entry, and the effort required on the criminals part, to hack your accounts.

These bots only cost a few hundred dollars and can be used again and again to bypass a security measure we all have been able to heavily rely on historically as secure. Their existence deepens questions on if online services need to provide phishing-resistant forms of authentication to protect users.

Reportedly, users of the bots share their successes with one another on sites like Telegram, and look to collaborate to target more victims. Bot sellers even run promotional prices, to bring in more customers, during peak online shopping times.

Image Credit: Adobe Stock Images

Subscribe to our Bulletins

Free Download

Is IT a bottleneck to your company’s growth?

Discover how small business IT support can be a strong ally in making you more productive and competitive.

Download Ebook