But this new type of fraud goes right at that 2FA code, and it uses people’s fear of their accounts being hacked against them. In taking action they think will protect them, they actually expose themselves to thieves.
The fraud tool is called a one-time password, or OTP, bot.
A report produced by Florida-based cybersecurity firm and CNBC contributor Q6 Cyber said the OTP bots are driving substantial losses for financial and other institutions. The damage is hard to quantify now because the bot attacks are relatively new.
“The bot calls are crafted in a very skillful manner, creating a sense of urgency and trust over the phone. The calls rely on fear, convincing the victims to act to ‘avoid’ fraud in their account,” the report said.
The scam works in part because victims are used to providing a code for authentication to verify account information. At first listen, the robocalls can sound legitimate — especially if the victim is harried or distracted by other things at the moment the call comes in.
“It’s human nature,” said Jessica Kelley, a Q6 Cyber analyst who authored the report. “If you receive a call that tells you someone’s trying to sign in to your account, you’re not thinking, ‘Well, I wasn’t trying to.'”
The bots began showing up for sale on messaging platform Telegram last summer. Kelley identified at least six Telegram channels with more than 10,000 subscribers each selling the bots.
While there is no official estimate on the amount of crypto stolen, Kelley said fraudsters routinely brag on Telegram about how well the bots have worked, netting for each user thousands or hundreds of thousands of dollars in crypto. The cost of the bots ranges from $100 a month to $4,000 for a lifetime subscription.
“Before these OTP bots, a cybercriminal would have to make that call himself,” Kelley said. “They would have to call the victim and try to get them to divulge their personal identifiable information or bank account PIN or their 2FA passcode. And now, with these bots, that whole system is just automated and the scalability is that much larger.”
“Once the victim inputs that 2FA code, or any other information that they requested the victim put in their phone, that information gets sent to the bot,” Kelley said. The bot “then automatically sends it to the cybercriminal, who then has access to the victim’s account.”
She said criminals could “potentially steal everything, because with these transactions, they can do them one after the other until the amount is basically drained.”
In a statement to CNBC, a Coinbase spokesperson said, “Coinbase will never make unsolicited calls to its customers, and we encourage everyone to be cautious when providing information over the phone. If you receive a call from someone claiming to be from a financial institution (whether Coinbase or your bank), do not disclose any of your account details or security codes. Instead, hang up and call them back at an official phone number listed on the organization’s website.”
David Silver, another Coinbase customer, knew the company would not be calling him. He recently received a robocall saying there was a problem with his account.
“And immediately, it was an electronic voice that told me it was Coinbase Fraud Department,” he said. “And I immediately turned to the lawyer sitting next to me and said, ‘Start videoing.’ I knew instantaneously what this was and what it was going to be.”
This content was originally published here.