Telegram bots allowing hackers to steal OTP codes
A simplified new attack tool based on Telegram scripts is allowing criminals to steal one-time password credentials and take over user accounts and drain bank funds.
Cybercriminals are taking advantage of scripting tools to create bots in the Telegram chat app that make account theft and bank fraud easier than before.
Researchers with security firm Intel 471 issued a report Wednesday detailing how criminal hackers are using a bot script called SMSRanger to send automated messages to people masquerading as a bank, PayPal or other popular financial apps.
The automated messages direct users to send over their one-time password (OTP) codes, along with other account info. If successful, the Telegram bots harvest the codes, and the hacker is able to bypass the bank's OTP verification system, take over the user's account and drain the funds.
"Over the past few months, we've seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator," Intel 471 said in its report.
"Some services also target other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities."
What sets SMSRanger apart from other tools, say the researchers, is its ease of use. The ability to set the numbers, targets and company to be impersonated are simple enough that the criminal needs to know only some basic scripting commands on Telegram.
Because of this, the SMSRanger tool is popular with not only seasoned attackers, but relatively unskilled cybercriminals as well.
"Once a target's phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted," the researchers noted.
"Users claim that SMSRanger has an efficacy rate of about 80% if the victim answered the call and the full information (fullz) the user provided was accurate and updated."
SMSRanger is not the only bot to take advantage of the easy-to-use scripting functions. Intel 471 also observed a tool known as SMS Buster that similarly offers an ease of use and is able to collect even more detailed account information, such as card numbers and CVV codes.
The fear is that with tools like Telegram bots becoming more user-friendly, the pool of criminals who can commit cybercrime expands dramatically. This would, of course, lead to more scams and further losses for both individual customers and businesses.
"The ease by which attackers can use these bots cannot be understated," said the Intel 471 team.
"While there's some programming ability needed to create the bots, a bot user only needs to spend money to access the bot, obtain a phone number for a target, and then click a few buttons."