Scammers have learned to bypass two-factor authentication (by SMS code) to confirm payments on the Internet. This is done by simultaneously conducting a fake operation on a phishing site, stylized as a CTP payment, and a real money transfer initiated by an attacker. Kaspersky Lab told Izvestia about such a scheme, and its distribution was confirmed by other cybersecurity companies and banks. Russians are already used to the fact that you can not call the code from SMS on the phone, but when you enter it on the site, they show less vigilance.
Two-factor deception
The scheme of deception begins with the fact that a citizen is sent a message with a proposal to extend the CTP: it contains information about the car, including the license plate number, and when clicking on the link, the amount of insurance and another link for payment are shown, said Alexey Marchenko, head of the content filtering methods development department at Kaspersky Lab. He continued: after clicking on the link and entering the card data, the user is shown a page with the inscription “SMS code is being generated”, which is shown on a timer for about 30 seconds, and then transfers to the code entry form. At this moment, the client really receives an SMS from the credit institution.
Enter the experience: pre-retirees have fallen under the gun of telephone scammers
– Most likely, after the user indicates the card data on the resource, the attackers initiate not a payment, but a request to debit money from this card. At this stage, they have everything they need to translate, except for the verification code. At this moment, the user is on the waiting page “SMS is being generated”. During this time, a message comes to him. It seems to the user that this is an SMS for payment, although in fact it is an SMS to confirm the transfer of money, which was initiated by the attackers,” Alexey Marchenko explained.
He concluded: when the user enters the SMS code on the page that appeared after waiting, the attackers complete the attack by confirming the money transfer that they initiated on their side. This is a combination of scam and phishing, the expert stressed. The deception scheme, which combines a fake offer to pay for an insurance policy, the use of a person’s car number, a series of web pages with waiting to receive first card data, and then a verification code, and others, was recorded recently and is quite rare, Alexey Marchenko said.
RESO-Garantia is aware of five such cases recently. Rosbank, Gazprombank and VTB, as well as Digital Security and Zecurion companies that specialize in cybersecurity, know about this deception scheme. Rosbank clarified that attackers are now actively using this scenario, for example, by creating fake websites of online stores. Also, the method of deception with circumvention of two-factor authentication is used on ad sites, Digital Security added.