IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Telegram bots are out to steal your one-time passwords

New scam lets cyber criminals steal money from victims

Cyber criminals are using bots on the Telegram messenger app to steal credentials with a one-time password, intercept control of user accounts, and steal bank funds. 

Hackers are using a bot script called SMSRanger to send automatic messages to people, allegedly on behalf of a bank, PayPal, or other popular financial applications, According to a security researcher at Intel471.

Automatic messages prompt users to send one-time password (OTP) codes along with other account information. If successful, Telegram bots collect codes, enabling hackers to bypass the bank's OTP verification system, hack a user’s account, and withdraw funds. 

Researchers said SMSRanger is easy to use. The ability to specify numbers, goals, and the company the program will masquerade as is quite simple, so the criminal only needs to know some basic script commands in Telegram. This means SMSRanger is popular not only among experienced cyber criminals, but also among relatively unskilled ones.

Once the hacker enters the target's phone number, the bot does the rest of the work, ultimately granting access to any successfully attacked account. Researchers said hackers using the tool have about an 80% efficacy rate if the victim answered the call and the user’s full information was accurate and updated.

Researchers also discovered another bot called BloodOTPbot. This can send users a fraudulent OTP code via SMS. The bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative.

“The bot then would attempt to call the victim and use social engineering techniques to obtain a verification code,” said researchers.

The operator would receive a notification from the bot during the call specifying when to request the OTP during the authentication process. The bot would text the code to the operator once the victim received the OTP and entered it on the phone’s keyboard, added researchers.

A third bot, known as SMS Buster, requires a bit more effort to obtain account information. The bot provides options to disguise a call and make it appear as a legitimate contact from a specific bank, letting the attackers dial from any phone number.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

“From there, an attacker could follow a script to trick a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV) and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English,” said researchers.

The researchers added they have seen accounts illegally accessed at eight different Canadian-based banks.

“The ease by which attackers can use these bots cannot be understated. While there’s some programming ability needed to create the bots, a bot user only needs to spend money to access the bot, obtain a phone number for a target, and then click a few buttons,” researchers said.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021
Top 200 most common passwords of 2021 revealed
cyber security

Top 200 most common passwords of 2021 revealed

10 Dec 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022