Over the years, two-factor authentication has become one of the easiest ways for people to protect any online account. This has made them a prime target of cybercriminals.
According to security company Intel 471, it has seen an uptick in services that allow attackers to intercept one-time password (OTP) tokens. All services seen by Intel 471 since June are either a . operated through Wire Provide support to customers through bot or telegram channel. In these support channels, users often share their success using bots, often withdrawing thousands of dollars from victim accounts. “Over the past few months, we have seen actors provide access to services that call victims, appear as a valid call from a specific bank and require victims to type an OTP or other verification code. to seize and deliver mobile phone codes to operators. Some services also target other popular social media platforms or financial services, provide email phishing and SIM swapping capabilities,” the company says in a blogpost.
How cybercriminals use these bots to steal money
The blog post states that a special bot, known as SMSRanger, is extremely easy to use. A simple slash command allows the user to enable various “modes” — scripts targeted as different services — that can target specific banks, as well as PayPal, Apple Pay, Google Pay, or wireless carriers. Once the target’s phone number is entered, the bot does the rest, granting access to whatever account is targeted. If the victim answered the call and the information provided was correct, SMSRanger’s efficacy rate is said to be around 80%.
Another bot, known as BloodOTPbot, has also worked which sends fake OTP codes to users via SMS. The bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative. The bot then tries to obtain the verification code using social engineering tricks. The operator will receive a notification from the bot during the call to specify the OTP to be requested during the authentication process. The bot will write the code to the operator after the victim receives the OTP and enters it on the phone’s keyboard.
Another bot, known as SMS Buster, requires a little more effort from an actor to retrieve account information. The bot provides the option to disguise a call to make it appear as a legitimate contact from a specific bank, while giving attackers the option to dial from any phone number. From there, an attacker can follow a script to provide a victim with sensitive details such as ATM PIN, Card Verification Value (CVV) and OTP, which can then be sent to an individual’s Telegram account. The bot, used by attackers targeting Canadian victims, gives users the opportunity to launch attacks in French and English.
As of the publication date of this blog post, Intel 471 has detected illegal accounts at eight different Canadian-based banks.