Researchers uncovered a new malicious campaign that uses Telegram bots to steal OTPs (one-time password tokens) and hack into PayPal, Apple Pay, and Google Pay accounts.
Intel 471’s research has found that a credential-stealing campaign uses Telegram bots to hack into online payment systems, such as PayPal, Apple Pay, and Google Pay, and has been active since June.
“Two-factor authentication is one of the easiest ways for people to protect any online account,” researchers noted in a Wednesday report. “So, of course, criminals are trying to circumvent that protection.”
Telegram Bots are Easy to Use
Researchers said that threat actors are using Telegram bots and channels, along with various strategies to obtain account information, including calling victims, impersonating financial institutions, and legitimate services.
With the help of social engineering tricks, scammers convince victims to hand over an OTP or other verification code via a mobile device, which they then use to deplete accounts of money.
“The ease by which attackers can use these bots can not be understated,” they wrote in the report. “While there’s some programming ability needed to create the bots, a bot user only needs to spend money to access the bot, obtain a phone number for a target, and then click a few buttons.”
Unfortunately, Telegram bots have become highly popular among cybercriminals and have been used in various scams.
In this case, Intel 471 researchers observed and analyzed the campaign’s activity regarding three bots—dubbed SMSRanger, BloodOTPbot, and SMS Buster.
“One particular bot, known as SMSRanger, is extremely easy to use and can target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless carrier. Once a target’s phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted. Users claim that SMSRanger has an efficacy rate of about 80% if the victim answered the call and the full information (fullz) the user provided was accurate and updated”.
Impersonating Reputable Companies
Researchers noted that BloodTPbot sends users a fraudulent OTP code via SMS. However, this bot needs an attacker to spoof the target’s phone number and pretend to be a bank or a company representative.
This bot calls potential victims and uses cunning social-engineering techniques to get a verification code from the user. According to researchers, the scammer will receive a notification from the bot during the phone call specifying when to request the OTP during the authentication process.
BloodTPbot is available for a monthly $300 fee. Users can also pay $20 to $100 more to get access to live phishing panels that target accounts on social media networks, such as Facebook, Instagram, and Snapchat; financial services like PayPal and Venmo; the investment app Robinhood; and cryptocurrency marketplace Coinbase, researchers said.
Masquerading as Banks
SMS Buster, the third bot that the researchers observed, requires more effort than the previous two for a scammer to steal the victim’s account details.
Researchers noted that the bot could disguise a call made from any phone number to make it seem a legitimate contact from a bank. When calling a target, scammers follow a script to trick the potential victim into providing info such as an ATM card PIN, credit card verification value (CVV), or OTP.
“Overall, the bots show that some forms of two-factor authentication can have their own security risks,” researchers concluded. “While SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards.”