Telegram bots are out to steal your one-time passwords

New scam lets cyber criminals steal money from victims

Cyber criminals are using bots on the Telegram messenger app to steal credentials with a one-time password, intercept control of user accounts, and steal bank funds. 

Hackers are using a bot script called SMSRanger to send automatic messages to people, allegedly on behalf of a bank, PayPal, or other popular financial applications, According to a security researcher at Intel471.

Automatic messages prompt users to send one-time password (OTP) codes along with other account information. If successful, Telegram bots collect codes, enabling hackers to bypass the bank's OTP verification system, hack a user’s account, and withdraw funds. 

Researchers said SMSRanger is easy to use. The ability to specify numbers, goals, and the company the program will masquerade as is quite simple, so the criminal only needs to know some basic script commands in Telegram. This means SMSRanger is popular not only among experienced cyber criminals, but also among relatively unskilled ones.

Once the hacker enters the target's phone number, the bot does the rest of the work, ultimately granting access to any successfully attacked account. Researchers said hackers using the tool have about an 80% efficacy rate if the victim answered the call and the user’s full information was accurate and updated.

Researchers also discovered another bot called BloodOTPbot. This can send users a fraudulent OTP code via SMS. The bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative.

“The bot then would attempt to call the victim and use social engineering techniques to obtain a verification code,” said researchers.

The operator would receive a notification from the bot during the call specifying when to request the OTP during the authentication process. The bot would text the code to the operator once the victim received the OTP and entered it on the phone’s keyboard, added researchers.

A third bot, known as SMS Buster, requires a bit more effort to obtain account information. The bot provides options to disguise a call and make it appear as a legitimate contact from a specific bank, letting the attackers dial from any phone number.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

“From there, an attacker could follow a script to trick a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV) and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English,” said researchers.

The researchers added they have seen accounts illegally accessed at eight different Canadian-based banks.

“The ease by which attackers can use these bots cannot be understated. While there’s some programming ability needed to create the bots, a bot user only needs to spend money to access the bot, obtain a phone number for a target, and then click a few buttons,” researchers said.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

A quarter of all malicious JavaScript is obfuscated
hacking

A quarter of all malicious JavaScript is obfuscated

20 Oct 2021
Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021
MirrorBlast phishing campaign targets financial companies
phishing

MirrorBlast phishing campaign targets financial companies

15 Oct 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021