Phishing Tackle for Sale

At TMT there are a number of reasons why we’re excited about our new service TMT Authenticate, our new frictionless silent authentication service, partly because we believe that it represents the mobile ecosystem getting back on the front-foot in the fight against fraud.

However, some interesting intelligence this week from Microsoft illustrates very efficiently why things need to move forward.

Microsoft’s threat intelligence team have been monitoring the activities of a group they call DEV-1101 and who have started to sell a ready-to-go Phishing kit, which amongst other things allows fraudsters to bypass the very security mechanism designed to protect users, such as SMS One-Time Password (OTP).

Put simply, the kit includes a range of standard templates to mimic things such as Microsoft Outlook,  but the really interesting thing is that it uses AI ‘bots’ to sit in the middle of the authentication process, circumventing existing 2-factor authentication (2FA).

When the victim falls for a Phishing email and ‘clicks the link’ they are taken to a web page that looks and feels like the real login page of their favourite brand, but is obviously there to harvest their login data. The AI will gather these credentials and in parallel open a login session with the real site. When the real site sends their request for a 2-factor authentication such as a one-time password, the bot will mirror that on the fake site, so the user inputs the correct code into the fake site, and the bot in turn then quickly transfers it to the real login attempt being perpetrated by the fraudster.

Microsoft say this kit was first advertised online almost a year ago, and sells for as little as $300 for the standard version and $1000 for the deluxe version.

Whilst the above is not doing anything we haven’t seen before it is of course substantially lowering the fraudsters barrier to entry and is expected to herald a massive increase in this type of crime, circumventing a OTP which let’s face it is the most common form of 2-factor authentication out there and still in use by the majority of online brands.

Why this is relevant to TMT Authenticate is also pretty simple, because it works directly in conjunction with the Mobile Network Operators who are authenticating the device from encrypted data held on the SIM card, it does not require a user to enter any credentials, so there is nothing to share with any bad guys.

Furthermore, the communication flow does not just involve the device, because the authentication messaging goes directly between the operator, TMT Analysis and the website you are trying to access, not the handset. Therefore, it’s never going to be susceptible to these kinds of so-called Man-in-the-middle attacks because there is nothing to intercept.

As ever, the advice from the industry remains the same:

1. Always be on the lookout for suspicious emails;
2. Don’t click the link – unless you are sure its genuine;
3. Talk to TMT Analysis about Authenticate and see if it can improve the security and user experience of your customers!