Telegram-powered bots stealing bank OTPs, warn analysts – ET CISO
According to security company Intel 471, it has seen an uptick in services that allow attackers to intercept one-time password (OTP) tokens. All the services that Intel 471 has observed since June either operate via abot or provide support for customers via a Telegram channel. In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts. “Over the past few months, we’ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator. Some services also target other popular social media platforms or financial services, providing email phishing and capabilities,” says the company in a blogpost.
How cybercriminals steal money using these bots
The blog post says that one particular bot, known as SMSRanger, is extremely easy to use. A simple slash command allows a user to enable various “modes” — scripts aimed as various services — that can target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless carrier. Once a target’s phone number has been entered, the bot does the rest of the work, granting access to whatever account has been targeted. The SMSRanger’s efficacy rate is said to be about 80% if the victim answered the call and the information provided was correct.
Another bot, known as BloodOTPbot, also worked sends users fraudulent OTP code via SMS. The bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative. The bot then attempts to obtain the verification code using social engineering tricks. The operator would receive a notification from the bot during the call specifying when to request the OTP during the authentication process. The bot would text the code to the operator once the victim receives the OTP and enters it on the phone’s keyboard.
Yet another bot, known as SMS Buster, requires a bit more effort from an actor in order to obtain account information. The bot provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number. From there, an attacker could follow a script to track a victim into providing sensitive details such as an ATM PIN, card verification value (CVV) and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English.
As of this blog post’s publication date, Intel 471 has seen accounts illegally accessed at eight different Canadian-based banks.