In February, KrebsOnSecurity wrote about a new cybercrime service that helped attackers intercept one-time passwords (OTPs) that many websites require as a second factor of authentication in addition to passwords. This service quickly went offline, but new research reveals that a number of competitors have since launched bot-based services that allow crooks to easily phish OTPs from targets.
Many websites now require users to provide both a password and a digital code / OTP token sent by SMS, or generated by mobile apps such as Authentic and Google Authenticator. The idea is that even if the user’s password is stolen, the attacker still cannot access the user’s account without this second factor i.e. without access to the device. victim’s mobile or phone number.
The OTP interception service introduced earlier this year – Opt[.]agency – announced a web bot designed to trick targets out of OTP tokens. The client would enter a target’s phone number and name, and the OTP agency would initiate an automated phone call that would alert that person to unauthorized activity on their account.
The call would prompt the target to enter an OTP token generated by their phone’s mobile app (“for authentication purposes”), and this code would then be relayed to the malicious client panel on the agency’s website. OTP.
The OTP agency disconnected a few hours after this story. But according to research by computer intelligence firm Intel 471, several new OTP interception services have emerged to fill that void. And all of them work via Telegram, a cloud-based instant messaging system.
âIntel 471 has seen a slight increase in cybercrime services that allow attackers to intercept one-time password (OTP) tokens,â the company wrote in a blog post today. âOver the past few months we’ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank, and trick victims into typing an OTP or other verification code into a phone. mobile in order to capture and deliver the codes to the operator. Some services also target other popular social media or financial services platforms, offering email phishing and SIM card swapping capabilities.
Intel471 says that a new Telegram OTP bot called “SMSRanger“Is popular because it is remarkably easy to use, and possibly because of the many testimonials posted by customers who seem satisfied with its frequent success rate in mining OTP tokens when the attacker already has personal information” fullz âof the target such as social security. number and date of birth. From their analysis:
âThose who pay for access can use the bot by entering commands similar to how bots are used on the popular Slack workforce collaboration tool. A simple slash command allows a user to activate various “modes” – scripts for various services – which can target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless operator.
Once a target’s phone number has been Entered, the bot does the rest of the work, ultimately giving access to any account that has been targeted. Users claim that SMSRanger has an efficiency rate of around 80% if the victim answered the call and the complete information (fullz) provided by the user was accurate and up to date.
Another OTP interception service called SMS Buster requires a bit more effort from a customer, says Intel 471:
âThe bot provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting attackers choose to dial from any phone number. From there, an attacker could follow a script to trick a victim into providing sensitive details such as a personal identification number (PIN), card verification value (CVV), and OTP, which could then be sent to an individual’s Telegram account. The bot, which has been used by attackers targeting Canadian victims, gives users the ability to launch attacks in both French and English.
These services are born because they work and they are profitable. And they are profitable because far too many websites and services steer users towards multi-factor authentication methods that can be intercepted, tampered with, or misdirected, like SMS-based one-time codes or even OTP tokens generated by users. applications.
The idea behind true âtwo-factor authenticationâ is that the user must present two of the following three things: something they have (mobile devices); something they know (passwords); or something they are (biometrics). For example, you present your credentials on a website and the site prompts you to approve the connection through a prompt that appears on your registered mobile device. It’s true two-factor authentication: something you have and something you know (and maybe even something you are).
In addition, these so-called “push notification” methods include important temporal contexts that add security: they occur directly after the user has submitted their credentials; and the ability to approve the push notification expires after a short time.
But in many cases, what sites are asking for are basically two things you know (a password and one-time code) to submit through the same channel (a web browser). This is usually always better than no MFA at all, but as these services show, there are now many options to bypass this protection.
Hope these OTP interception services make it clear that you should never provide information in response to an unsolicited phone call. It doesn’t matter who claims to be calling: if you haven’t initiated the contact, hang up. Don’t put them on hold while you call your bank; crooks can get around this as well. Hang up. Then you can call your bank or any other person you need.
Unfortunately, the people most likely to fall for these OTP interception programs are people less experienced with the technology. If you are a resident or family IT professional and have the option to update or improve MFA profiles for your less tech-savvy friends and loved ones, this would be a fabulous way to show you care. of you and help them. ward off a potential disaster at the hands of one of these bot services.
When was the last time you looked at your settings and multi-factor options on the various websites loaded with your most valuable personal and financial information? It might be worth visiting 2fa.directory (formerly twofactorauth[.]org) for a check.