Most of the time, vishing requires a skilled operator to manipulate people.
Attackers need to not only be skilled, but also speak the language of the victim.
However, we found call bots attacks to be very popular to circumvent MFA: by having an automated bot call people and ask for the One Time Password (OTP) after credentials has been entered.
This is a prototype we built as a proof of concept.
Most bots are controlled through Telegram channels and will output the data on top of stealing cookies and setting up persistent access through specific Telegram commands.
