Multi-factor authentication (MFA) has long been considered an effective way to secure user accounts and neutralize credential-based attacks. Many organizations have invested heavily in adding a second factor of authentication such as SMS or e-mail-based one-time passwords (OTP) and authenticator apps. However, cybercriminals have evolved their tactics in response to these defenses – no longer are attackers attempting to bypass MFA entirely but are attempting to exploit the human element in authentication flows with a new generation of account takeover attacks through sophisticated automated systems known as OTP bots. These sophisticated bots, available as external services and often sold through Telegram-based channels, leverage social engineering to turn the trusted OTP mechanism into a security vulnerability.
Understanding OTP Bots
The rise of OTP bots represents a significant evolution in account takeover (ATO) attack techniques. These automated systems are designed to intercept and steal OTPs by tricking target users to disclose this sensitive information either through an automated phone call or messages. Attackers then use these codes to authenticate themselves and gain unauthorized access to take over the target account.
Combining the scalability of malicious bot-driven credential stuffing attacks with social engineering has enabled these advanced programs to launch highly sophisticated attacks. The accessibility of these tools has also lowered the barrier to entry for such attacks, with underground marketplaces offering OTP bot services for $10 to $50 per attack and offering flexible payment plans based on usage.
How OTP Bots Work
Understanding the OTP bot attack flow reveals why these threats are so effective, and where organizations can secure their defenses.
Phase 1: Credentials Acquisition
Similar to previous generations of ATO attacks, attackers initially acquire previously leaked credentials through data breaches, phishing campaigns, or bought off dark web marketplaces. They also gather additional information that includes phone numbers, account details, and the names of associated banks.
Phase 2: Credential Stuffing Attack
With compromised username-password combinations, attackers attempt automated logins on various online services. When these login attempts fail due to multi-factor authentication because of the OTP requirement triggered by the target’s MFA system, the attackers log these accounts as potential targets for an OTP bot attack.
This phase represents the critical point for defensive measures to intervene, where the malicious intent and behavioral patterns behind these automated login attempts can be distinguished from legitimate user behavior. Blocking these automated logins before they trigger OTPs represents the best opportunity to stop the entire attack chain.
Phase 3: Social Engineering
Here’s where the attack diverges from traditional ATO methods. Based on the potential targets derived from the previous phase, the attacker feeds the victim’s name, phone number, and the name of the associated bank to an external OTP bot service. The OTP bot automatically calls the victim using customized, pre-recorded or AI-generated voice calls and SMS messages, impersonating a legitimate entity such as a bank, online service or customer support. Under the guise of fraud prevention or account verification, victims receive urgent requests to verify their identity and provide the OTP they just received.
Phase 4: Account Compromise
As many victims, unaware of the fraudulent request, provide OTP codes over the call, attackers immediately use the codes to complete unauthorized access to the target account. They then proceed to change the password and other security mechanisms to lock out the victim and gain full control of the account for carrying out further fraud.
How to Protect Against This New Generation of ATO Attacks
The attack methodology of OTP bots, while sophisticated in nature, still contains a fundamental vulnerability: they must begin with automated login attempts before any human interaction occurs. This automated step serves as the trigger for the entire attack chain, without which no OTP is generated and further, no victim call can be made. This dependency creates a clear defensive opportunity for organizations to leverage account takeover protection capabilities through advanced bot management and API protection solutions.
Advanced bot management solutions that provide real-time, behavioral-based bot detection can accurately distinguish between requests from human users and automated attempts by sophisticated bad bots on login workflows to create real-time signatures and block malicious requests. Distributed attack attempts and rotation of identities to evade traditional signature-based detection, seen in large-scale account takeover attacks, can be accurately identified with advanced detection modules. These solutions also leverage a wide range of mitigation challenges including fully non-interactive CAPTCHA-less methods to effectively mitigate the attack while ensuring a seamless experience for genuine users.
An advanced API protection solution can auto-discover all login API endpoints, their structure and parameters, automatically generating accurate security policies that are enforced on the entire API schema, ensuring real-time protection against embedded attacks. Such solutions can also offer real-time protection against API business logic attacks on login workflows by building behavioral models of API consumers and detecting deviations in behavior that indicate business logic abuse.
Conclusion
The rising threat of OTP bots underscores the evolving nature of account takeover attacks and the threat of hybrid attacks that combine multiple attack vectors. Organizations need to strengthen their account takeover defenses and leverage solutions that can balance security effectiveness with user experience considerations. Advanced bot management and API protection solutions can effectively block the attack chain at its first link - the automated, malicious login attempts. Dedicated protection at this layer is far more resource efficient and scalable, with these solutions capable of analyzing large-scale attempts and mitigating malicious bots accurately.
Radware’s Cloud Application Protection Services includes both the Bot Manager and API Protection solutions for comprehensive protection against ATO attacks. The Bot Manager, with its AI-powered, multi-layered protection approach, accurately identifies and mitigates sophisticated attacks in real-time. The AI-powered API Protection solution continuously maps the application business logic, generates security policies, and automatically mitigates both embedded and business logic attacks in runtime – hands-free.
This comprehensive approach of the Radware Cloud Application Protection Service is designed to address such evolving attacks in real time and effectively protect against even the most sophisticated ATO attacks while ensuring seamless digital interactions.
Contact us to learn more.