20.5k unique visitors in the last 3 days

Now You Can Buy Bots That Steal SMS OTPs

Crooks are selling software that automates social engineering. Bots call targets and ask for one-time passwords that are used to take control of bank, cryptocurrency and PayPal accounts.

Big businesses that routinely embrace bad security practices make good business for crooks that know how to exploit common vulnerabilities. Even the most optimistic fraud managers have tired of the theory that social engineering can be prevented by simply warning everyone to be more careful, but now enterprising criminals are selling a way to automate social engineering to scammers who would otherwise be given away by their accents. Joseph Cox reports for Vice that criminals have written computer programs that trick customers of PayPal, Amazon, cryptocurrency exchanges and banks into sharing the one-time passwords (OTPs) sent to them by SMS.

The call came from PayPal’s fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer.

“In order to secure your account, please enter the code we have sent your mobile device now,” the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, “Thank you, your account has been secured and this request has been blocked.”

…But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers.

Cox shared a recording of the entire call online; you can listen to it below.

 

One of the vendors of these bots, who calls himself OPTGOD777, explained why they are popular.

The bot is great for people who don’t have social engineering skills.

Competition between the makers of these bots leads them to offer special discounts.

Some bot sellers have recently run promotional prices, presumably to bring in more customers. SMSranger ran a limited time offer of one month access to the bot costing $540, and lifetime access for $2750. A day later, the bot was back to full price of $600 and $4000.

Social engineering was the most common threat cited by cybersecurity professionals responding to RAG’s recent survey of comms providers. However, one problem with social engineering is that it can be labor-intensive, and this leads criminals to set up call centers in countries where staff can be recruited cheaply. This creates knock-on problems for fraudsters, who may spoof CLIs to make calls appear to originate within the same country as their victims. Foreign accents cannot be so easily disguised, and this encourages criminals to use synthesized voices for pre-recorded messages.

The drive to reduce the costs associated with legal marketing and customer service calls has been instrumental in developing automation of the type discussed by Cox in his article. This also motivates the development of more interactive technologies, such as chatbots. It will not be long before people can engage in conversation with machines that will fool some into believing they are dealing with a real human being. When that happens, we will experience an explosion in social engineering unless major organizations have already weaned themselves off bad practices like sharing one time passwords by SMS.

Joseph Cox’s article for Vice can be found here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email