Robocall bot goes after one-time passwords
We're all encouraged to use multi-factor authentication to protect our online accounts. Very often this involves a one-time passcode (OTP) sent via an SMS message.
This makes life harder for the cybercriminals even if they have your password, but the team at CyberNews has uncovered a new robocall bot that aims to trick users into giving up their OTPs.
The OTP bot is the latest example of the growing crimeware-as-a-service model where cybercriminals rent out malicious tools and services to anyone willing to pay. It's being sold via an an encrypted Telegram chat room that currently boasts more than 6,000 members.
The bot user enters the details they know into a Telegram window. Then, using a spoofed caller ID, the bot will then automatically call the victim's number posing as a support agent and will try to trick them into sending their OTP to log in to the victim's Apple Pay or Google Pay account. Once logged in with the stolen code, the threat actor can then link the victim's compromised credit card to the payment app and go on a gift card shopping spree.
The bot will also pretend to be a support agent, warning a potential victim of an unauthorized party requesting access to their bank account. To block the request and secure the account, the victim is asked to enter their banking PIN -- you can guess what happens next.
According to CyberNews researcher Martynas Vareikis, "Using a spoofed caller ID, the bot will appear as a bank or a company on the victim's phone and will try to trick them into sending their one-time password. This is why you shouldn't always trust caller ID, especially if someone is 'warning' you about unauthorized bank charges. There's a dedicated support number printed on the flip side of your bank card, so you can always hang up and call the company back via the dedicated number to resolve your issue."
You can read more about the threat on the CyberNews site and hear a recording of the bot in action below.