The bots that run on Telegram are used to steal one-time passwords that are used in two-factor authentication (2FA).
On Wednesday, Intel 471 researchers said they had seen an “increase” in the amount of such services provided in underground circles. In recent months, it seems that the variety of solutions to bypass two-factor authentication has increased and bots are becoming a popular tool.
Two-factor authentication (2FA) can rely on passwords, codes, links, biometric tags, or a single-use physical dongle to confirm the identity of an account owner. Most of the time, one-time 2FA passwords are sent via text message to a phone or email address.
Two-factor authentication is used to strengthen account security beyond the simple username / password pair, but malicious actors have quickly developed methods to intercept one-time passwords, through software, social engineering, or malicious.
According to Intel 471, since June, various 2FA bypass services have abused Telegram’s messaging service. Telegram is used to create and manage bots, or as a “customer support” channel for cybercriminals who carry out these types of operations.
“In these support channels, users often share their success in using the bot, often taking thousands of dollars from victims’ accounts,” say the researchers.
Telegram bots are used to automatically call potential victims during phishing attempts – the goal is to send messages claiming to be from a bank and trick victims into handing over one-time passwords. Other bots target social media users as part of SIM-swapping and phishing attacks.
Creating a bot requires a basic level of programming, but the task is much less complex than developing custom malware, for example. What makes matters worse is that, like traditional botnets, Telegram bots can be rented from third parties. Once the target victim’s phone number is submitted, attacks can begin with just a few clicks.
The researchers cited two particular bots; SMSRanger and BloodOTPbot.
SMSRanger’s interface and command settings are similar to that of the Slack collaboration platform and can be used to target particular services, including PayPal, Apple Pay, and Google Play. BloodOTPbot is an SMS-based bot that can also be used to generate robocalls posing as a bank.
“Bots show that some forms of two-factor authentication can have their own security risks,” commented Intel 471. “Although one-time password services based on SMS and phone calls are better than nothing, criminals They have found ways to circumvent protection measures. ”