Cyble-OTP-Bot

Cybercriminals Targeting Two-Factor Authentication

Bot-based OTP Interception Services Continue to Facilitate Fraudulent Operations

Introduction

The implementation of the Two-Factor Authentication (2FA) mechanism as a strict login policy by organizations worldwide has been pivotal in providing account security to consumers of various industries. Since the inception of 2FA, Threat Actors and fraudsters were observed seeking and hustling for methods to bypass this mechanism.

Among several other fraud techniques, Caller ID spoofing is a social engineering technique that the fraudsters have widely adapted to steal the One-Time Password codes to compromise the 2FA mechanism. A Caller I.D. spoofing attack is a technique where fraudsters disguise themselves as legitimate callers to leverage information from a victim for further committing any fraudulent operation.

However, due to heightened awareness raised by the global information security community, the social engineering techniques used to engage a victim on a spoofed call manually have apparently become harder to execute. This has led to a relatively limited success rate as Threat Actor initiatives and fraud attempts were largely thwarted before they could lead to any significant cybersecurity incidences.

This difficulty has likely contributed to the creation of a vast scope of automated OTP-interception services in the fraud market. These services make conducting fraud relatively easy by automating the caller I.D. spoofing process using the Interactive Voice Response (IVR) technology as well as Telegram or Discord-based bots to intercept One-Time Password (OTP) codes. This caters to the specific purposes of the cybercriminals involved in these fraudulent services.

Tactics, Techniques, and Procedures

The majority of OTP interception services we observed provided a user interface through Telegram and Discord-based Bots. A fraudulent subscriber with a valid license key would merely require sending a few text-based commands to the custom-coded Telegram or Discord bot of a particular service to start an IVR-based automated spoofed call targeting any individual.

The ease of use made these services convenient for fraudsters in possession of compromised account credentials or payment cards to obtain the OTP, PIN, or CVV codes, respectively. A few services also offered to capture victims’ other Personally Identifiable Information (PII), such as Social Security Numbers (SSN), Date of Birth (DOB), and Mother’s Maiden Name.

A detailed OTP interception process involved in a fraud cycle is described as the following:

Figure 1 – A process cycle showing the timeline and executive of bot-based call spoofing attacks

The following screenshots obtained from one of the fraudulent bot interception services illustrated a real-time visualization of the bot capturing the OTP codes:

Figure 2 – Screenshots displaying allegedly successful operations by a PepeOTP bot to capture OTP codes

Notable OTP Bot Interception Services

SMSranger: The “SMSranger” is a Telegram-bot-based fraudulent OTP interception service and is currently highly sought-after among financially motivated cybercriminals or fraudsters. The threat actors behind SMSranger launched their fraudulent OTP interception services in June 2021 and initially targeted mobile consumers in the United States and Canada. SMSranger claimed a success rate of 80-90% for the answered calls.

SMSranger bot featured modes specifically targeting retail banking, PayPal, Apple Pay, email users, mobile carrier consumers, and customer services. The customer services mode allegedly allowed fraudsters to connect to a victim via Peer-to-Peer encrypted voice call, provided options to hold the call with music in the background, and send messages during the call.

Figure 3 – An advertisement banner posted on the SMSranger Telegram Channel

A recent announcement on their Telegram-based channel suggested they have supposedly extended their fraudulent service targeting consumers in the United Kingdom, France, Spain, Germany, Italy, and Colombia. SMSRanger has received numerous positive reviews from several fraudulent users of their services.

Figure 4 – An advertisement recently posted on the SMSRanger Telegram Channel (Left) and a user testimonial with positive feedback (Right)

OTP BOSS: A similar OTP interception service, “OTP BOSS,” was found in a discussion among the Threat Actors seeking to fraudulently obtain OTP codes for monetary gains. OTP BOSS launched its services in October 2021. Their subscription price ranged from U.S. $300 – to $1,200 a month and included additional features such as a “spy mode” for obtaining a recorded session of the fraud call. OTP BOSS targeted consumers in the United States, Canada, United Kingdom, France, Spain, Germany, Italy, and Colombia.

In a recent announcement, they claimed to extend their fraud services to impact Australia, Singapore, Malaysia, and Belgium.

Figure 5 – An advertisement recently posted on the OTP BOSS Telegram Channel (Left) and Telegram bots capturing OTP Codes from the victims (Middle, Right)

Research also revealed that one of the moderators of OTP BOSS posted a demonstration at a cybercrime forum claiming to have an automated voice call of the highest quality among other competing fraud services. The demonstration video posted on their YouTube channel revealed the custom-designed automated voice module options were purportedly targeting consumers of the following US-based retail banking, including top Fortune 500 banks.

It was found that the threat actors operating the OTP BOSS bot were themselves highly involved in the monetization of counterfeit bank cheques, compromised accounts, and payment cards.

PizzaOTP: Researchers identified another similar service advertised in one of the cybercrime forums as a PizzaOTP bot. The Telegram-bot-based service claimed to feature a mode for opting for various automated voices targeting banking and cryptocurrency account consumers. They offered OTP interception at relatively lower prices and quoted U.S. $350 for a month.

Still, they were the only services that targeted India and other countries such as the United States, Canada, United Kingdom, Australia, Germany, France, Italy, Brazil, Spain, Portugal, Israel, Austria, Switzerland, and Pakistan. One of their Telegram-bot channels regularly posted details of successful OTP interception for their fraud subscribers, which also displayed that the consumers associated with several global banking organizations and Fortune 500 companies.


Another relatively cheap Telegram-bot-based OTP interception service listed on the cybercrime form was PepeOTP which was first observed on May 3, 2022. Further research revealed that the many other Threat Actors advertised similar Discord-based OTP interception services known as ApolloOTP, RichzOTP, and ReconOTP on various cybercrime forums. The following screenshots demonstrate their OTP interception service in operation.

Figure 6 – Discord-based OTP interception bots RichOTP (Left) and ApolloOTP (Right) in operation.

It is worth mentioning that several other popular bot-based OTP interception services known as “OTP.Agency” and “2fa SMS buster” also operated in full force until they were shut down in 2021 – likely due to law enforcement operations.

Conclusion

Cyble Research Labs’ efforts to understand the latest TTPs for account takeovers revealed that the currently available Telegram and Discord bot-based OTP interception services were some of the easiest alternatives to the manually-employed vishing (i.e., voice phishing) and SIM-swapping methods.

Subsequently, these services have become a notoriously popular choice among the financially-motivated Threat Actors seeking fraudulent credit card usage and to takeover accounts belonging to consumers at banks, e-commerce, social media, cryptocurrency exchanges, email services, and other business enterprises.

With a continued rise in the number of similar services available in the cybercrime ecosystem, it requires a dire need to implement education and awareness at everyone’s disposal vulnerable to such social engineering attacks.

 
Countermeasures

It is evident by the Tactics, Techniques, and Procedures that the attacks by the OTP interception bots come into play only if the credentials and payment cards were compromised and were in possession of the threat actors motivated to monetize them. In such cases, our recommendations are:

  • Do not share sensitive information on any incoming IVR calls that are not initiated by oneself using the genuine phone numbers provided for telebanking.
  • Immediately change your passwords upon any suspicious IVR calls or flagged notifications suggesting an unauthorized login.
  • Switch to a stronger password and update/change your security information often.
  • Businesses are advised to set up resources to monitor their threat landscape or may opt for the available threat intelligence platforms (such as AmIBreached and Vision by Cyble). This could be helpful for the medium and large businesses to determine their threat landscape by letting them identify the set of compromised accounts, payments cards, and other sensitive data to notify the impacted consumers or associated individuals.
Scroll to Top