Your phone rings. The caller ID is one you recognize as being from Chase bank. The call sounds legit:

A few seconds later the phone buzzes and it’s a text message from 227895 number which is the same number you always receive the verification code from.

You quickly type it in to confirm that it is in fact you. You sure are glad that the Chase Fraud department is working overtime, you think to yourself….

Your bank account has just been cleaned out because the hackers that spoofed you just transferred all of the money in it to an offshore account.

These bots can target Banks, Credit cards, Apple Pay, PayPal, GoDaddy, Amazon, Coinbase, and virtually any platform that is “secured” with the SMS version of 2FA or MFA. The process for these bots is so streamlined that just about anyone with virtually no IT knowledge (script kiddies) can quickly get this bot up and running. The hackers no longer have to even be fluent in English or converse with their victims on the phone to con their way in.

At this point, we are all used to recorded voice calls, SMS authentications, etc., and we don’t think twice about it. Some of these bots are open source, with instructions on how to run them, but a black hat can pay a few hundred bucks to get a good one that is pre-configured and comes with tech support. With these SMS Bypass Bot calls as a service, any wannabe hacker can pull it off fairly easily with very little tech background or hacking skills needed.

So a hacker gets himself a computer system with a high end graphics card and installs one of these password cracking programs, and armed with the information from a data breach, soon has your login credentials. So for less than $1,000 and about 2 hours’ work and a few hours of letting the cracking tool find valid credentials, he now has your username/password pair.

Now he initiates the MFA calling bot, and soon has your one time pin. Call it a $1500 investment, a day’s labor, and a week of elapsed time, and he just made off with the contents of your bank account. How much was in there? Twenty thousand? Forty? Or only a couple of thousand bucks?

Since many countries have an average annual income that is far less than $10,000 a year, even $850 is a month’s pay and is certainly worth a criminal’s time. Now imagine that he is likely doing this a hundred times a week.

It’s just that easy.


7 Comments

Cahulawassee River · January 16, 2023 at 3:58 pm

Bro has the mega machine with the $2000+ video cards and he was hacked using these methods.
Nothing much was in there as the beyond Jimmeh Carta levels of inflation are eating up everything.

joe · January 16, 2023 at 6:01 pm

you started talking about internets security and the floodgates opened…norton, life lock…all hacked…

Toastrider · January 16, 2023 at 10:56 pm

There’s a way to defeat this.

Ask for a name and trouble ticket number, tell them you’re going to call back for verification. Do NOT call the number on your phone. Look up your bank/financial institution’s phone number on their website, and call them.

    Steve · January 17, 2023 at 10:16 am

    Yep, and never under any circumstances press any key on your keypad. Definitely not the one they are asking you to press.

    “Press 5 to speak to a customer service representative.”
    “Beep.”

    Guess what? You just authorized the transfer of funds. By the time you hang up, your money is gone, likely forever.

TGreen · January 17, 2023 at 12:21 am

There is a simple and effective defense to this: Caller ID is easily spoofed: Trust nothing said in an incoming call and answer no questions that might be asked. If you think you need to act on what such a call says, hang up, then look up the number to call them back at from a trusted source.

Elrod · January 17, 2023 at 8:11 pm

“…answer no questions that might be asked.”

Absolutely true. Spammers will call and ask “do you hear me?” or some other question that you will automatically answer “yes” to. If do you answer “yes” to whatever the question is they will use that – they are recording the call just so that can insert your “yes” into the right spot – and you’ve now signed up for whatever it is they’re selling. If you try to cancel, even with gummint consumer assistance, they will play back your “yes” as proof you signed up.

No matter what the conversation, if you did not initiate it or you do not know with whom you are speaking, never use the word “yes” on your phone. If someone calls and asks you questions the best thing to do is exactly what TGreen said above – hang up immediately.

NEVER answer ANY questions from anyone who calls. Look up their VERIFIED number online and call them back. If it’s a legit organization they will not mind.

Gryphon · January 19, 2023 at 7:47 pm

There is a simple and effective defense to this:
Do. Not. Deal. With. Banks. Ever.
I haven’t for over 25 Years now, and it’s Surprising what else you Avoid having problems with.
ALL forms of “Electronic Communications” are vulnerable to Hacking/government abuse.
And no, this isn’t ‘my’ Computer (purchased secondhand) and it’s on WiFi that doesn’t know I’m not an ‘authorized’ User.
The Time is Now to arrange your Life and Financial Affairs before the (((banking system))) Collapses. You will be ‘Ahead of the Curve’ when (soon, very Soon) the “petrodollar” becomes ‘worthless’ (not that it ever was).

Comments are closed.