CloudSEK researchers have discovered that cybercriminals are increasingly combining vishing techniques with new OTP grabber services to amplify their malicious activities.
Vishing, or voice phishing, involves manipulating individuals into divulging sensitive information over the phone. The human touch in vishing adds a convincing element to these attacks, making victims more likely to trust the caller. They employ sophisticated interactive voice response (IVR) systems, authentic voice recordings of real individuals, or even real-time calling methods that convincingly appear to originate from a trusted company. Through these tactics, users are skillfully manipulated into revealing their one-time passwords, typically delivered via text messages.
The significance of OTPs in the realm of online security cannot be overstated. A multitude of online services, including financial institutions, place heavy reliance on OTPs as the ultimate guard of verification. In certain scenarios, a one-time password (or OTP) stands as the only gateway to accessing one's account. This very reliance makes these services an enticing target for those wielding OTP bot services.
One of the most recent such offerings was noted by CloudSEK in an advertisement on a service known as “SpoofMyAss.com” - a one-stop shop for end-to-end SMS-related phishing scams. The service is being offered with bold statements such as:
Ability to make calls worldwide in over 30 languages
Pronounce the victim’s name, service details, and more
Ability to make anonymous calls
Free bot template creation service with the help of Speech Synthesis Markup Language (SSML) code for more customization in audio responses.
The advertisement lets us assume that the threat actor already has the target’s login credentials through different means.
“This is critical as we have seen on September 14, this year, the MGM Resorts encountered a cyber-attack attributed to Scattered Spider, which has been known to use vishing as their method of choice,” Shreya Talukdar, Global Threat Intelligence Analyst at CloudSEK, said.
Shreya added, “Employing vishing as their method of choice, the cybercriminals successfully obtained employee credentials, secured global admin privileges within Azure Tenant, exfiltrated data, and subsequently held numerous ESXi hypervisors hostage for ransom.”
In the recently discovered SpoofMyAss (SMA) advertisement uncovered by CloudSEK offers the escalation of OTP bots and SMS senders that can significantly aid cybercriminals in orchestrating large-scale vishing (voice phishing) attacks. The features provided by SpoofMyAss include OTP extraction, global calls in multiple languages, personalization, anonymous calls, and Bot template creation, which CloudSEK believes strongly indicates to perform vishing attacks.
“Using service features like Fast SMA, Stream SMA, and Transfer SMA vishers can further craft highly convincing vishing calls,” Bablu Kumar, Cyber Intelligence Analyst at CloudSEK, said.
SpoofMyAss has free-of-charge user signup, and additionally, it also offers USD 1 as a welcome balance to the user’s account—an enticing invitation to explore the diverse offerings of the platform. Its services are divided into two main categories OTP Bot Spoofer and SMS Sender. The reviews indicate that the service is getting traction on underground forums, and threat actors have already started using it for nefarious purposes.
OTP bot spoofer and SMS sender
Per the advertisement, OTP Spoofer is an automated call service that can be used to grab OTPs of any length. The bot possesses the ability to facilitate global calls, fetch multiple OTPs, and communicate seamlessly in over 30 languages, while the SMS Sender service currently claims to be using 269 legitimate SMS gateways for sending text messages to unsuspecting users spanning diverse regions across the globe. Of these, there are 87 US-based and 13 India-based SMS gateways.
The text also announces a significant update to an SMS sender service called "SPOOF MY ASS UNLIMITED SMS SENDER," which is now a private, subscription-based model.
Ramifications of OTP SMS and OTP call grabber services
The ramifications of such exploitation are profound. Cybercriminals, upon gaining access to a victim's online banking and other sensitive accounts, are equipped to perpetrate a wide array of fraudulent online transactions.
However, the scope of threat posed by these services extends far beyond the mere capture of OTPs. These insidious tools are versatile, capable of wielding social engineering techniques, propagating malware or scams, and even inflicting harassment and extortion upon their targets.
OTP SMS and OTP call Grabber services portray serious consequences and present substantial risks for both individuals and organizations.
“We've noted that threat actors frequently rely on well-established techniques when conducting cyberattacks. Consequently, these tried-and-true methods can be adopted by less-sophisticated, copycat threat actors, often with the help of services like SpoofMyAss,” Bablu Kumar said.
It's important for individuals and organizations to be vigilant about safeguarding OTPs and implementing additional security measures, such as using authenticator apps or hardware tokens, to protect against OTP interception. Additionally, reporting any suspected misuse of OTP Grabber services to law enforcement or relevant authorities is crucial to combat these illegal activities.
Nipping in the bud with CloudSEK’s underground module
CloudSEK’s deep and dark web monitoring platform scours thousands of sources across the deep and the dark web to identify fraud and targeted threats. The service gives analysts a single pane of glass to monitor dark web activities. In this particular case, if the banking-related credentials are being sold on the dark web, you will be directly notified so you can instantly take security measures and inform the affected users/clients.