Search This Blog

Showing posts with label OTP Theft. Show all posts

Analysts Warn of Telegram Powered Bots Stealing Bank OTPs

 

In the past few years, two-factor verification is one of the simplest ways for users to safeguard their accounts. It has now become a major target for threat actors. As per Intel 471, a cybersecurity firm, it has observed a rise in services that allow threat actors to hack OTP (one time password) tokens. Intel 471 saw all these services since June which operate via a Telegram bot or provide assistance to customers via a Telegram channel. Through these assistance channels, users mostly share their feats while using this bot and often walk away thousand dollars from target accounts. 

Recently, threat actors have been providing access to services that call victims, which on the surface, looks like a genuine call from a bank and then fool victims into providing an OTP or other authentication code into a smartphone to steal and give the codes to the provider. Few services also attack other famous financial services or social media platforms, giving SIM swapping and e-mail phishing services. According to experts, a bot known as SMSRanger, is very easy to use. With one slash command, a user can enable various modes and scripts targeted towards banks and payment apps like Google Pay, Apple Pay, PayPal, or a wireless carrier. 

When the victim's phone number has been entered, the rest of the work is carried out by the bot, allowing access to the victim's account that has been attacked. The bot's success rate is around 80%, given the victims respond to the call and provides correct information. BloodOTPBot, a bot similar to SMSRanger sends the user a fake OTP code via message. In this case, the hacker has to spoof the target's phone number and appear like a company or bank agent. After this, the bot tries to get the authentication code with the help of social engineering tricks. 

The bot sends the code to the operator after the target receives the OTP and types it on the phone keyboard. A third bot, known as SMS buster, however, requires more effort from the attacker for retrieving out information. The bot has a feature where it fakes a call to make it look like a real call from a bank, and allows hackers to contact from any phone number. The hacker could follow a script to fake the victim into giving personal details like ATM pin, CVV, and OTP.

OTP Theft on the Rise in Bengaluru; Many IT Employees Fall Victim


Numerous IT employees fall victim to a new type of OTP theft currently on the rise in Bengaluru. No culprit has been caught so far as lakhs of rupees go stolen via the utilization of this technique.

This theft stands diverse as contrasted with the rest as here, an individual calling posing like a bank employee requests from the victim to provide with them their card number and CVV so as to update or review their debit or credit card.

And the 'unsuspecting victim' does not realize that any person would at present need an OTP to complete any exchange, in this way the scamster then says the victim will get a SMS, which would need to be sent back to the sender.

And such SMSes while not containing any intelligible content obviously, are in encoded shape.  Acting like links when the victims tap on them, the incoming SMS is consequently sent to the scamster's phone, which at that point completes the cash exchange — utilizing the OTP from the victim's record.

 “The thefts were initially of relatively small amounts of ₹5,000-10,000. However, of late, larger amounts ranging from ₹50,000 to up to a few lakhs have been stolen. We have not been able to apprehend anyone yet. The victims also include several IT employees,” says a cybercrime personnel further adding that such cases came to light about 2-3 months ago.


India as a country has not taken privacy seriously. Most of the time, most hackers are able to find out the bank you are banking with,” says Harsha Halvi, co-founder of TBG Labs, “OTP theft is more a privacy matter than a technological one. Perpetrators often gain the victim’s trust by dropping a name for reference, which would make the victim trust them. After that finding information about the victim’s bank is also quite easy,” he added later.

Although Halvi later recommends that since it is not possible to build up a product\software as a safeguard against this as there are many apps that request access to SMSes, the solution to this problem will only begin to emerge if the users are increasingly mindful and don't offer authorization to get to SMSes, at that point the developers will be compelled to change their strategy.

In this way, it proposed to the users, when accepting such calls, to check with the customer care numbers of their banks in order to smoothly avoid from being entrapped in such wreckage.