The warning was issued after thousands of such attempts were made from March to May this year. The culprits used fake websites and voice bots, but they were "detected and stopped," according to authorities.
OTP codes are a security measure used in two-factor authentication to prevent users from getting their accounts and passwords from being stolen.
However, the new attacks trick users into giving up their OTP codes through automatic, fake phone calls. When these robocalls successfully obtain an OTP, the victim's bank and other accounts will be hacked.
Researchers have said that the hackers use calls instead of text messages because their marks are more likely to reply quicker and thus get hustled easier. The voice bots would make calls masquerading as employees of reputable organizations. They then use scripted pre-recorded conversations to persuade users into giving up their OTP codes.
A common script includes bots masquerading as financial organizations calling people to notify them that a stranger had trying to gain access to their bank accounts to steal money. The bots then persuade people into giving up their OTP codes, so that the organizations would be able to intervene and prevent the theft.
"The bot emulates the speaking patterns and urgency in human voices in order to foster trust and persuasiveness," according to at least one research report.
The surge in robocalls can be attributed to the fact that their components are purchasable on the black market. A Kaspersky report on one type of bot service provided on Telegram said that the bots are capable of masquerading as different organizations, using multiple languages and mimicking either male or female human voices. They can also create fake phone numbers to trick people into believing they are talking to someone from a reputable organization.
Once the hackers get hold of one’s OTP codes, they can use them to gain access to victims’ accounts. However, before hackers can even attempt to steal OTP codes, they need to get through the first line of defense: one’s account name and password. They do so by creating fake websites that masquerade as the legitimate banks, email services and other online services to trick people into giving up their login information. These data can also be purchased on the black market, or simply stolen by computer hackers via computer system vulnerabilities.
The National Cyber Security Center of Vietnam has recorded 124,775 fake websites masquerading as different organizations. Kaspersky statistics from March 1 to May 31 revealed that the firm has managed to stop 653,088 website phishing attempts, as well as wholly blocking a total of 4,721 phishing websites.
Experts said people should not provide OTP codes to people via phone, no matter how persuasive they may sound. Banks and other reputable organizations never ask users to identify themselves by providing their OTP codes over the phone, they said.