In recent years, many services have implemented a system, two-factor authentication, to combat cyberattacks. In addition to the password required to access an application containing sensitive data (health, financial or work), more and more software requires a second code, which is sent to the account holder via another means (usually via SMS or email).
This protection is now so popular that a 2021 Cisco Group study estimated that 80% of internet users used two-factor authentication. In 85% of cases, this second code arrived via SMS, a solution that is easy to use, but has many security holes.
If this solution has long made it possible to combat cyber attacks, offering (almost) tamper-proof protection, now web criminals have found a hole in the mouse to sneak into. Specifically, they are using an AI-powered robot to solve this new puzzle.
As a team of Kaspersky researchers explains, cybercriminals have managed to bypass this system, particularly by using phishing methods. In other words, the hackers manipulated users into providing their authentication code received via SMS in good faith. Once you retrieved this item, all you had to do was crack the password, an action that usually takes no more than three seconds.
To retrieve the code received via SMS, the criminals attack the weakest link in the chain, the human one. They will use a robot to call the user. The latter must hand over the codes received to a “trusted person”. Kaspersky explains that these calls are personalized based on the personal data collected from the target. They are designed on a case-by-case basis by AI to make them as believable as possible.
To achieve their aims, cybercriminals do not hesitate to use different, often illegal, methods. They pretend to be government agencies, your bank, or an institution. Faced with a person with moral authority, the user often gives in, offering the precious sesame to criminals. They can then log in to the account.
The most worrying thing about this case is the OPT bots used in these attacks. They are available in abundance on cybercriminals’ forums. To put them to work and attack hundreds of people at once, it doesn’t take much technical skill, just a lack of ethics and empathy for its victims.