ESET, a leading company in proactive threat detection, warns that criminals are using bots as a tool to carry out phone scams, known as vishing. The use of this type of bots often helps to convince unsuspecting users that it is a legitimate call and they are used to obtain the one-time passwords (OTP) or the verification code, also known such as two-factor authentication (2FA) or two-step verification. In this way, they manage to access user accounts in services such as PayPal, Amazon, Coinbase or banks, among other services.
Through these bots, called OTP Bots, criminals without so many social engineering skills find a good option to persuade potential victims. In traditional telephone scams, it is the criminal himself who seeks to convince the victim on the other end of the telephone. In these cases, the risk of the victim realizing that it is a fraud depends largely on the skills of the criminal on the phone. What is also happening is that many companies today use bots to provide customer service, and the familiar sound due to the lack of personalization helps to prevent the victim from suspecting that something is happening.
In order to compromise the accounts using the verification code, the cybercriminals must first obtain the access credentials (email address and password) of the users. It must be remembered that a very precious asset in the cybercrime business is personal data, since it has a commercial value when used to carry out social engineering attacks.
Theft of information
One of the most frequent consequences of cyberattacks is the theft of information. When a company or service suffers a data breach, this information is usually later put up for sale or even published for free in underground forums, and contains credentials or other personal information of users. An example of this is what happened with the Robinhood trading platform recently, which suffered an intrusion into its systems that led to the theft of the personal information of 7 million customers. A few days later it was known that in hacking forums they were selling 7 million email addresses of Robinhood users.
Once the attackers have in their possession the username and password of the account they want to compromise, they enter the phone number along with a command and the name of the chosen service or account; for example, PayPal. The bot then calls the victim posing as that service using some pretext, such as a suspicious move. At one point in the conversation, the bot asks the victim to verify their identity by entering a code that they will receive on their phone. The victim enters the password and the attacker automatically receives it through the tool.
These bots are marketed in Telegram or Discord chats and can be obtained for prices ranging from $ 100 to $ 1,000 for a subscription. Also, some offer global reach. Its use shows, once again, how criminals are looking for new ways to commit fraud and it seems that its popularity is growing. Given this scenario, it is important that users know that this type of scam exists and that they never enter personal information or passwords if they were not the ones who made the call.
Verifying is the key “The main recommendations to avoid being a victim of this type of fraud are: upon receipt of a suspicious call, verify the source of it. It is also important to distrust the origin and in case of being somewhat doubtful, end the communication as soon as possible. If the person who contacted us claimed to be from a company with which we are associated, it is advisable to communicate with the company through official communication channels.” concludes Camilo Gutiérrez Amaya, Head of the Research Laboratory of ESET Latin America