Big businesses that routinely embrace bad security practices make good business for crooks that know how to exploit common vulnerabilities. Even the most optimistic fraud managers have tired of the theory that social engineering can be prevented by simply warning everyone to be more careful, but now enterprising criminals are selling a way to automate social engineering to scammers who would otherwise be given away by their accents. Joseph Cox reports for Vice that criminals have written computer programs that trick customers of PayPal, Amazon, cryptocurrency exchanges and banks into sharing the one-time passwords (OTPs) sent to them by SMS.
The call came from PayPal’s fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer.
“In order to secure your account, please enter the code we have sent your mobile device now,” the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, “Thank you, your account has been secured and this request has been blocked.”
…But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers.
Cox shared a recording of the entire call online; you can listen to it below.
One of the vendors of these bots, who calls himself OPTGOD777, explained why they are popular.
The bot is great for people who don’t have social engineering skills.
Competition between the makers of these bots leads them to offer special discounts.
Some bot sellers have recently run promotional prices, presumably to bring in more customers. SMSranger ran a limited time offer of one month access to the bot costing $540, and lifetime access for $2750. A day later, the bot was back to full price of $600 and $4000.
Social engineering was the most common threat cited by cybersecurity professionals responding to RAG’s recent survey of comms providers. However, one problem with social engineering is that it can be labor-intensive, and this leads criminals to set up call centers in countries where staff can be recruited cheaply. This creates knock-on problems for fraudsters, who may spoof CLIs to make calls appear to originate within the same country as their victims. Foreign accents cannot be so easily disguised, and this encourages criminals to use synthesized voices for pre-recorded messages.
The drive to reduce the costs associated with legal marketing and customer service calls has been instrumental in developing automation of the type discussed by Cox in his article. This also motivates the development of more interactive technologies, such as chatbots. It will not be long before people can engage in conversation with machines that will fool some into believing they are dealing with a real human being. When that happens, we will experience an explosion in social engineering unless major organizations have already weaned themselves off bad practices like sharing one time passwords by SMS.
Joseph Cox’s article for Vice can be found here.