How do Hackers Bypass Two-Factor Authentication?

It has been revealed how two-factor authentication (2FA) is circumvented using phishing techniques employed by cybercriminals. These techniques have been identified to be increasingly sophisticated. With the widespread adoption of two-factor authentication by many websites and its mandatory implementation by numerous organizations, attackers have developed advanced methods that combine phishing with automated OTP bots to deceive users and gain unauthorized access to their accounts.
Two-factor authentication (2FA) is a security feature that has become a standard practice in online security. This technique requires users to verify their identities using a second authentication method, such as a one-time password (OTP) sent via text message, email, or another authentication app. This additional layer of security aims to protect accounts even if passwords are compromised. However, fraudsters are bypassing these 2FA protections by developing new ways to trick users into disclosing these OTPs.
Capture of one-time passwords
At this point, OTP bots stand out as tools used by fraudsters through social engineering techniques to capture OTPs. Attackers typically attempt to obtain the victim’s login credentials through phishing or data breaches, then trigger the sending of an OTP to the victim’s phone upon logging into their account. The OTP bot then calls the victim, mimicking the tone and urgency of a legitimate call representative of the organization, and uses pre-scripted dialogues to convince the victim to share the OTP. Finally, the attacker retrieves the OTP through the bot and uses it to access the victim’s account.

Imitation of online banking login pages
Fraudsters prefer phone calls over messages because calls increase the chances of a quick response from the victim. By mimicking the tone and urgency of a legitimate call, the bot can make the conversation more convincing.
Fraudsters manage OTP bots through dedicated online panels or messaging platforms like Telegram. These bots come with various features and subscription plans, can mimic different organizations, use multiple languages, and even offer customization between male and female voices. Among the advanced options is phone number spoofing, which makes the caller’s identity appear to come from a legitimate organization.
Before using an OTP bot, fraudsters need to steal the victim’s credentials. They often use phishing websites that appear to be legitimate login pages for banks, email services, or other online accounts. When the targeted person enters their username and password, fraudsters capture this information in real-time.
Successful two-factor authentication attacks
Research by Kaspersky shows that phishing attacks and OTP bot attacks aimed at bypassing two-factor authentication have had a significant impact. Between March 1 and May 31, 2024, Kaspersky products blocked 653,088 attempts to visit sites created by phishing kits targeting the banking sector and commonly used in attacks involving OTP bots. During the same period, Kaspersky technology identified 4,721 phishing pages created by kits aimed at bypassing two-factor authentication in real-time.
Olga Svistunova, a security expert at Kaspersky, said, “Social engineering, especially with the use of OTP bots that can mimic genuine calls from representatives of legitimate services, can be incredibly convincing. Therefore, it is crucial to stay vigilant and follow best security practices. Kaspersky provides state-of-the-art security solutions to protect digital lives through continuous research and innovation.”