Russian Scammers Learn to Bypass Bank SMS Authentication Codes

According to experts from Kaspersky Lab, scammers in Russia have figured out how to bypass two-factor authentication when the second factor is a code delivered via SMS. As a result, Russians need to be even more vigilant when interacting with suspicious websites.

Experts note that the key to the scammers’ success lies in simultaneously carrying out a fake transaction on a phishing site—usually disguised as an OSAGO (compulsory car insurance) payment—and a real transfer of the victim’s funds.

While people have become more cautious about giving out authentication codes over the phone, most users still let their guard down when entering codes on websites, which is a mistake. To lure potential victims, scammers send an email offering to renew their OSAGO insurance.

Kaspersky expert Alexey Marchenko told the newspaper Izvestia that on the malicious website, users are shown the insurance amount and a separate payment link. If the visitor enters all the required information, the site displays a page with the message “SMS code is being generated.”

According to a timer set in the page’s code, this message is shown for about 30 seconds, after which the user is redirected to a form to enter the code. At the same time, the victim receives a real SMS message from their bank or credit organization.

The trick is that the scammers request a withdrawal from the card details provided by the user, who believes they are paying for OSAGO. Using the authentication code, the criminals complete the process of stealing the victim’s money.