Now You Can Buy Bots That Steal SMS OTPs

Big businesses that routinely embrace bad security practices make good business for crooks that know how to exploit common vulnerabilities. Even the most optimistic fraud managers have tired of the theory that social engineering can be prevented by simply warning everyone to be more careful, but now enterprising criminals are selling a way to automate social engineering to scammers who would otherwise be given away by their accents. Joseph Cox reports for Vice that criminals have written computer programs that trick customers of PayPal, Amazon, cryptocurrency exchanges and banks into sharing the one-time passwords (OTPs) sent to them by SMS.

The call came from PayPal’s fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer.

“In order to secure your account, please enter the code we have sent your mobile device now,” the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, “Thank you, your account has been secured and this request has been blocked.”

…But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers.

Cox shared a recording of the entire call online; you can listen to it below.


One of the vendors of these bots, who calls himself OPTGOD777, explained why they are popular.

The bot is great for people who don’t have social engineering skills.

Competition between the makers of these bots leads them to offer special discounts.

Some bot sellers have recently run promotional prices, presumably to bring in more customers. SMSranger ran a limited time offer of one month access to the bot costing $540, and lifetime access for $2750. A day later, the bot was back to full price of $600 and $4000.

Social engineering was the most common threat cited by cybersecurity professionals responding to RAG’s recent survey of comms providers. However, one problem with social engineering is that it can be labor-intensive, and this leads criminals to set up call centers in countries where staff can be recruited cheaply. This creates knock-on problems for fraudsters, who may spoof CLIs to make calls appear to originate within the same country as their victims. Foreign accents cannot be so easily disguised, and this encourages criminals to use synthesized voices for pre-recorded messages.

The drive to reduce the costs associated with legal marketing and customer service calls has been instrumental in developing automation of the type discussed by Cox in his article. This also motivates the development of more interactive technologies, such as chatbots. It will not be long before people can engage in conversation with machines that will fool some into believing they are dealing with a real human being. When that happens, we will experience an explosion in social engineering unless major organizations have already weaned themselves off bad practices like sharing one time passwords by SMS.

Joseph Cox’s article for Vice can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.