A new type of social engineering malware was discovered that can secretly extract one-time passwords (OTPs) from users across the world.
CyberNews researchers spotted a new Telegram chatbot that tricks victims into sending them OTPs to their online accounts, including bank and Coinbase accounts.
It’s also very tedious for the scammer to call each victim and pretend to be a tech support agent. Now, scammers don’t have to do that, as a new type of bot-for-hire is taking the social engineering world by storm.
Called OTP Bot, the new type of malicious chatbot that launched on Telegram in April. It uses the Telegram platform to automate tricking victims into giving away their passwords.
OTP Bot is part of what is called the Crimeware-as-a-Service (CaaS) model, under which anyone can rent out malicious tools and services.
Since April, the number of people who use OTP Bot Telegram has significantly increased. The chat room, where the bot is being sold, currently boasts over 6,000 members. Its creators probably make millions from selling the subscriptions to criminals, while the fraudsters boast 5-digit figures.
One of the factors that have led to the rapid growth of the bot is the ease of use and the bot for hire model which have made it very easy for criminals to get into social engineering attacks.
Previously, a threat actor would have had to learn how to find and use bot resources. Today, he only needs to search for a bot and pay a fee to use it.
When defrauding victims, OTP Bot scammers most often use a technique called card linking. It involves linking a victim’s credit card to their mobile payment app. Stealing funds this way is easy because information necessary, names and card numbers, is easily available on the black market.
With this data in hand, a threat actor can then choose a social engineering script in the bot that will trick the victim into providing their personal information to them.
The bot will then call the victim’s number and pretend to be a support agent. Once the victim gives in to the trick, the bot will ask them to enter their one-time password.
After stealing the victim’s password, the threat actor can easily log in and link the victim’s card to the payment app and then go to a nearby store to purchase gift cards. These are another favorite, as scammers then leave no financial fingerprints.
Fortunately, there are some positive developments in the fight against spam and vishing (voice phishing). One of these is the implementation of anti-robocalling protocols like STIR/SHAKEN by major mobile carriers.