Two-factor authentication (2FA) is no longer a foolproof security solution. Illustration photo
New form of attack
Two-factor authentication (2FA) has become a standard security feature in cybersecurity. It requires users to verify their identity with a second authentication step, typically a one-time password (OTP) sent via text message, email, or authentication app. This extra layer of security is intended to protect a user's account even if their password is stolen.
Although 2FA is widely adopted by many websites and required by organizations, recently, Kaspersky cybersecurity experts have discovered phishing attacks used by cybercriminals to bypass 2FA.
Accordingly, cyber attackers have changed to a more sophisticated form of cyber attack, by combining phishing with automated OTP bots to trick users and gain unauthorized access to their accounts. Specifically, scammers trick users into revealing these OTPs to allow them to bypass 2FA protection measures.
Cybercriminals combine phishing with automated OTP bots to trick users and gain unauthorized access to their accounts. Illustration photo
Even OTP bots, a sophisticated tool, are used by scammers to intercept OTP codes through social engineering attacks. Attackers often try to steal victims' login credentials through methods such as phishing or exploiting data vulnerabilities. They then log into the victim's account, triggering the sending of OTP codes to the victim's phone.
Next, the OTP bot will automatically call the victim, impersonating an employee of a trusted organization, using a pre-programmed conversation script to convince the victim to reveal the OTP code. Finally, the attacker receives the OTP code through the bot and uses it to gain unauthorized access to the victim's account.
Fraudsters often prefer voice calls over text messages because victims tend to respond more quickly to this method. Accordingly, OTP bots will simulate the tone and urgency of a human call to create a sense of trust and persuasion.
Fraudsters control OTP bots through dedicated online dashboards or messaging platforms like Telegram. These bots also come with a variety of features and subscription plans that allow attackers to operate. Attackers can customize the bot’s features to impersonate organizations, use multiple languages, and even choose a male or female voice tone. Advanced options include phone number spoofing, which makes the caller’s phone number appear to be from a legitimate organization in order to trick the victim in a sophisticated way.
The more technology develops, the higher the requirement for account protection. Illustration photo
To use an OTP bot, the scammer must first steal the victim’s login credentials. They often use phishing websites that are designed to look exactly like legitimate login pages for banks, email services, or other online accounts. When the victim enters their username and password, the scammer automatically collects this information instantly (in real time).
Between March 1 and May 31, 2024, Kaspersky security solutions prevented 653,088 attempts to visit websites created by phishing kits targeting banks. Data stolen from these websites is often used in OTP bot attacks. During the same period, experts detected 4,721 phishing websites created by kits aimed at bypassing real-time two-factor authentication.
Don't create common passwords
Olga Svistunova, security expert at Kaspersky, commented: "Social engineering attacks are considered extremely sophisticated fraud methods, especially with the emergence of OTP bots with the ability to legitimately simulate calls from service representatives. To stay vigilant, it is important to maintain caution and comply with security measures."
Hackers simply use smart prediction algorithms to figure out passwords easily. Illustration photo
Because in the analysis of 193 million passwords conducted by Kaspersky experts using smart guessing algorithms in early June, these are also passwords that are compromised and sold on the darknet by information thieves, it shows that 45% (equivalent to 87 million passwords) can be successfully cracked within a minute; only 23% (equivalent to 44 million) of password combinations are considered strong enough to resist attacks, and cracking these passwords will take more than a year. However, the majority of the remaining passwords can still be cracked from 1 hour to 1 month.
In addition, cybersecurity experts also revealed the most commonly used character combinations when users set up passwords such as: Name: "ahmed", "nguyen", "kumar", "kevin", "daniel"; popular words: "forever", "love", "google", "hacker", "gamer"; standard passwords: "password", "qwerty12345", "admin", "12345", "team".
The analysis found that only 19% of passwords contained a combination of a strong password, including a non-dictionary word, both upper and lower case letters, as well as numbers and symbols. At the same time, the study also found that 39% of those strong passwords could still be guessed by smart algorithms in less than an hour.
Interestingly, attackers don't need specialized knowledge or advanced equipment to crack passwords. For example, a dedicated laptop processor can accurately brute force a password combination of eight lowercase letters or numbers in just seven minutes. An integrated graphics card can do the same in 17 seconds. Additionally, smart password-guessing algorithms tend to substitute characters ("e" for "3", "1" for "!" or "a" for "@") and common strings ("qwerty", "12345", "asdfg").
You should use passwords with random character strings to make it difficult for hackers to guess. Illustration photo
“Unconsciously, people tend to create very simple passwords, often using dictionary words in their native language, such as names and numbers... Even strong password combinations rarely deviate from this trend, so they are completely predictable by algorithms,” said Yuliya Novikova, Head of Digital Footprint Intelligence at Kaspersky.
Therefore, the most reliable solution is to generate a completely random password using modern and reliable password managers. Such applications can store large amounts of data securely, providing comprehensive and strong protection for user information.
To strengthen passwords, users can apply the following simple tips: Use password management software; use different passwords for different services. This way, even if one of your accounts is hacked, the others are still safe; passphrases help users recover accounts when they forget their passwords, it is safer to use less common words. In addition, they can use an online service to check the strength of their passwords.
Avoid using personal information, such as birthdays, family members' names, pets, or nicknames, as passwords. These are often the first things attackers will try when trying to crack a password.
Source
![Charming Vietnam [ Cat Tien National Park ]](https://vstatic.vietnam.vn/vietnam/resource/IMAGE/2025/2/12/c05c34322e4f4cac874e7f971dfaddca)
Comment (0)