Malware Intelligence
mins read

Advanced Automated Social Engineering Bots: The High Tide of Social Engineering Bots and the Scammers Riding Them

Advanced Automated Social Engineering Bots: The High Tide of Social Engineering Bots and the Scammers Riding Them

November 3, 2021
Green Alert
Last Update posted on
February 3, 2024
Protect Your Brand Reputation from fake social media pages

CloudSEK XVigil's Fake Social Media Handles module helps you combat fake identities and protect your brand reputation, ensuring a secure digital presence

Schedule a Demo
Table of Contents
Author(s)
No items found.

The COVID 19 outbreak has significantly changed the way we operate in our day-to-day lives. From the unprecedented shift to remote working, to the dependency on online outlets for the fulfillment of even our most basic needs, the internet has become both our boon and our bane. So, it should come as no surprise that the pandemic is marred with an uptick in sophisticated phishing email schemes by cybercriminals who are on a constant lookout for footholds to infiltrate a company or an organization.

 

Social Engineering – A manipulative bait or a good samaritan?

Social engineering is the formal name for the psychology of persuading and manipulating people into feeling a sense of urgency in taking a certain action. Think about advertisers convincing us to believe that a certain brand of jeans is cooler than the other. Or how massive public health campaigns remind you to get your shot. While this may seem like an innocent marketing trick or a simple awareness drive, in Cybersecurity, Social Engineering has a more sinister motive. Attackers often use all sorts of psychological tricks to lure their victims into opening dodgy emails, clicking suspicious links, handing over passwords, downloading sketchy attachments, and engaging in other unsafe behaviors that may ultimately lead to large scale ransomware attacks or data breaches.

 

Social engineering attacks are possibly one of the most dangerous forms of security and privacy attacks since they are technically oriented to psychological manipulation and have been growing in frequency with no end in sight. Recent reports have shown that 99% of cyber attacks use social engineering techniques to trick users into installing malware. So, it is important to educate yourself and your workforce on some key indicators of scams and frauds.

 

Sharing is not caring when it comes to cybersecurity

Social engineering has been one of the largest threats to an organization’s cybersecurity for some time. Scammers are becoming more clever and sophisticated in their attack methods. Several instances have occurred wherein people receive phone calls that appear to be from their bank. The caller sounds legitimate and provides a convincing reason for calling the customer. After comforting the victim with a false blanket of security, the victim is often tricked into giving away their personal and confidential data such as:

  • One-Time-Password (OTP)
  • Credit/ debit card number
  • The card’s CVV number (Card Verification Value – 3 to 4 digit number printed on the flip side of the card)
  • Expiry date
  • Secure password
  • ATM PIN
  • Internet banking login ID and password and other personal information

 

With all such crucial information at hand, a fraudster can easily carry out illegal financial transactions using the victim’s name.

 

Automated cyber criminals

Manual fomite of such attacks is quite cumbersome since it requires a lot of human effort to collect the data, analyze, and convince the victim to share their OTP. But cybercriminals have chanced upon a lucrative solution to this problem. They have hopped upon advanced technology that scams using bots that are ultimately safe and steady for the attackers since there are no aftermath traces to be taken care of. This has understandably caused a surge in underground forums and markets with advertisements sales of  OTP/ SMS bots. We may call it an automated social engineering tool.

 

Bots are automated to do certain tasks and interactions, and can often run without human assistance. They take up a huge amount of the traffic on the internet, and there are both good and bad bots.

Picture depicting an Ai bot under creation
Picture depicting an Ai bot under creation

 

Good bots often crawl the internet to match our needs and requirements accordingly. Google bots, for instance, help catalog what’s online, so that our search results may be faster and more optimized. Chatbots on the other hand are a good substitute for customer services since they engage with the users to note and cater to them accordingly.

 

The bad or malevolent bots, on the other hand, can be programmed to break into users’ accounts and steal data, infect computers with dangerous viruses or malware, or perform incessant spamming which ultimately brings down the website. Cybercriminals use bad bots to take over a computer and link it to others to make a network of “zombie computers” called a botnet that can then launch large-scale cyber attacks, thereby blocking users from the internet altogether.

 

Analysis of forum advertisement

ASC (Asylum for real carders) is a China-based English cybercriminal forum that was launched in 2019. ASC initially started out as a small carding-based forum, but since 2021 has accumulated almost 16,116 members, a relatively large number for a platform that has been active. As a result, the site has more than 250 daily visitors and has 2022 threads. The most active section on ASC is the ‘Carding & Hacking’ Zone, which includes subforums relating to virtual carding, bank carding, cardable sites, hacking tools, payment systems, and tips for newbies on carding activity and methods. Some of the forum’s staff members appear to be particularly active in this section and have created a high proportion of its threads.

 

The forum added new sections such as VERIFIED MARKET and PREMIUM SECTION. Generally, such forums provide a black marketplace for cybercriminals to exchange malicious tools and services that facilitate all stages of cyber carding crime.

Bad bots – A wretched disguise 

 

A screenshot of the SMS Ranger bot on the forum 
A screenshot of the SMS Ranger bot on the forum

 

SMS Ranger is an OTP & SMS capture bot that is capable of getting OTP & SMS codes from victims by impersonating a company or bank. These bots help to get OTP for logins, banks, credit cards, Apple Pay, and more. Traditional methods like SIM swapping for OTP codes are not required. These bots can capture any OTP/ 2FA codes as well as personal info. The service cost is based on the country and monthly subscription as mentioned in the platform:

  • 1 month: USD 600
  • 2 months: USD 1100
  • 5 months: USD 2400
  • Lifetime: USD 4000

The package includes unlimited calls to the US, Canada, or the UK. For all other countries, the service is available for USD 300.

 

The key features of this service are:

  • Multiple modes to choose from (OTP for logins/ banks /credit cards/ Apple Pay, etc.)
  • Unique text-to-speech each call (Male/Female voice)
  • Multiple languages supported (English/French etc)
  • Multiple countries supported (US / CA/ UK/ AUS/ FR/ RU/ IND)
  • Constant updates every week

 

Screenshots of the SMS Ranger bot service on telegram 
Screenshots of the SMS Ranger bot service on Telegram

 

Users usually have to create an account and sign up or contact the service provider via Telegram to avail the bot service through these websites. Scammers generally collect personal information on the dark web or even on social media to sabotage even the most vigilant of people. On the other hand, card leaks from carding shops and data breaches give social engineers more personal information to exploit in a social engineering attack, thereby substantially catalyzing their chances of targeting individuals and committing fraud in the digital age.

Technical analysis

This fraudulent scam involves simple steps:

 

  • The services, promoted on Telegram, appear to make it remarkably simple for the end-user to scam unsuspecting victims by providing quite menial information via a Telegram chat window to the service.

 

Screenshot of the steps involved in attacking via SMS Ranger
Screenshot of the steps involved in attacking via SMS Ranger

 

  • The bot itself is being sold on a Telegram chat room that currently boasts more than 2000 members, getting its creators massive profits from selling monthly subscriptions to cybercrooks.

 

Screenshots of the sale of SMS Ranger on a telegram channel
Screenshots of the sale of SMS Ranger on a Telegram channel

 

  • Initially, the bot conversation starts with service renewal by the users and provides the option to select the language and voice. The bot offers variety modes of features which include:
    • Bank OTP mode (select any bank worldwide)
    • Apple/ Google Pay code mode
    • PayPal login mode
    • Account mode (to login to 2FA accounts)
    • Email mode (bypass email security)
    • Carrier mode (capture codes for sim-swapping)
    • Bankmore mode (enhanced banking mode)
    • Credential mode (capture DOB/MMN/ and much more)

 

This bot also has a new feature of asking users the number of digits present in the OTP. This in turn helps to avoid the victim from inputting a wrong OTP or none at all.

 

Screenshots of SMS Ranger chats
Screenshots of SMS Ranger chats

 

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Malware
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

min read

Advanced Automated Social Engineering Bots: The High Tide of Social Engineering Bots and the Scammers Riding Them

Advanced Automated Social Engineering Bots: The High Tide of Social Engineering Bots and the Scammers Riding Them

Authors
Co-Authors
No items found.

The COVID 19 outbreak has significantly changed the way we operate in our day-to-day lives. From the unprecedented shift to remote working, to the dependency on online outlets for the fulfillment of even our most basic needs, the internet has become both our boon and our bane. So, it should come as no surprise that the pandemic is marred with an uptick in sophisticated phishing email schemes by cybercriminals who are on a constant lookout for footholds to infiltrate a company or an organization.

 

Social Engineering – A manipulative bait or a good samaritan?

Social engineering is the formal name for the psychology of persuading and manipulating people into feeling a sense of urgency in taking a certain action. Think about advertisers convincing us to believe that a certain brand of jeans is cooler than the other. Or how massive public health campaigns remind you to get your shot. While this may seem like an innocent marketing trick or a simple awareness drive, in Cybersecurity, Social Engineering has a more sinister motive. Attackers often use all sorts of psychological tricks to lure their victims into opening dodgy emails, clicking suspicious links, handing over passwords, downloading sketchy attachments, and engaging in other unsafe behaviors that may ultimately lead to large scale ransomware attacks or data breaches.

 

Social engineering attacks are possibly one of the most dangerous forms of security and privacy attacks since they are technically oriented to psychological manipulation and have been growing in frequency with no end in sight. Recent reports have shown that 99% of cyber attacks use social engineering techniques to trick users into installing malware. So, it is important to educate yourself and your workforce on some key indicators of scams and frauds.

 

Sharing is not caring when it comes to cybersecurity

Social engineering has been one of the largest threats to an organization’s cybersecurity for some time. Scammers are becoming more clever and sophisticated in their attack methods. Several instances have occurred wherein people receive phone calls that appear to be from their bank. The caller sounds legitimate and provides a convincing reason for calling the customer. After comforting the victim with a false blanket of security, the victim is often tricked into giving away their personal and confidential data such as:

  • One-Time-Password (OTP)
  • Credit/ debit card number
  • The card’s CVV number (Card Verification Value – 3 to 4 digit number printed on the flip side of the card)
  • Expiry date
  • Secure password
  • ATM PIN
  • Internet banking login ID and password and other personal information

 

With all such crucial information at hand, a fraudster can easily carry out illegal financial transactions using the victim’s name.

 

Automated cyber criminals

Manual fomite of such attacks is quite cumbersome since it requires a lot of human effort to collect the data, analyze, and convince the victim to share their OTP. But cybercriminals have chanced upon a lucrative solution to this problem. They have hopped upon advanced technology that scams using bots that are ultimately safe and steady for the attackers since there are no aftermath traces to be taken care of. This has understandably caused a surge in underground forums and markets with advertisements sales of  OTP/ SMS bots. We may call it an automated social engineering tool.

 

Bots are automated to do certain tasks and interactions, and can often run without human assistance. They take up a huge amount of the traffic on the internet, and there are both good and bad bots.

Picture depicting an Ai bot under creation
Picture depicting an Ai bot under creation

 

Good bots often crawl the internet to match our needs and requirements accordingly. Google bots, for instance, help catalog what’s online, so that our search results may be faster and more optimized. Chatbots on the other hand are a good substitute for customer services since they engage with the users to note and cater to them accordingly.

 

The bad or malevolent bots, on the other hand, can be programmed to break into users’ accounts and steal data, infect computers with dangerous viruses or malware, or perform incessant spamming which ultimately brings down the website. Cybercriminals use bad bots to take over a computer and link it to others to make a network of “zombie computers” called a botnet that can then launch large-scale cyber attacks, thereby blocking users from the internet altogether.

 

Analysis of forum advertisement

ASC (Asylum for real carders) is a China-based English cybercriminal forum that was launched in 2019. ASC initially started out as a small carding-based forum, but since 2021 has accumulated almost 16,116 members, a relatively large number for a platform that has been active. As a result, the site has more than 250 daily visitors and has 2022 threads. The most active section on ASC is the ‘Carding & Hacking’ Zone, which includes subforums relating to virtual carding, bank carding, cardable sites, hacking tools, payment systems, and tips for newbies on carding activity and methods. Some of the forum’s staff members appear to be particularly active in this section and have created a high proportion of its threads.

 

The forum added new sections such as VERIFIED MARKET and PREMIUM SECTION. Generally, such forums provide a black marketplace for cybercriminals to exchange malicious tools and services that facilitate all stages of cyber carding crime.

Bad bots – A wretched disguise 

 

A screenshot of the SMS Ranger bot on the forum 
A screenshot of the SMS Ranger bot on the forum

 

SMS Ranger is an OTP & SMS capture bot that is capable of getting OTP & SMS codes from victims by impersonating a company or bank. These bots help to get OTP for logins, banks, credit cards, Apple Pay, and more. Traditional methods like SIM swapping for OTP codes are not required. These bots can capture any OTP/ 2FA codes as well as personal info. The service cost is based on the country and monthly subscription as mentioned in the platform:

  • 1 month: USD 600
  • 2 months: USD 1100
  • 5 months: USD 2400
  • Lifetime: USD 4000

The package includes unlimited calls to the US, Canada, or the UK. For all other countries, the service is available for USD 300.

 

The key features of this service are:

  • Multiple modes to choose from (OTP for logins/ banks /credit cards/ Apple Pay, etc.)
  • Unique text-to-speech each call (Male/Female voice)
  • Multiple languages supported (English/French etc)
  • Multiple countries supported (US / CA/ UK/ AUS/ FR/ RU/ IND)
  • Constant updates every week

 

Screenshots of the SMS Ranger bot service on telegram 
Screenshots of the SMS Ranger bot service on Telegram

 

Users usually have to create an account and sign up or contact the service provider via Telegram to avail the bot service through these websites. Scammers generally collect personal information on the dark web or even on social media to sabotage even the most vigilant of people. On the other hand, card leaks from carding shops and data breaches give social engineers more personal information to exploit in a social engineering attack, thereby substantially catalyzing their chances of targeting individuals and committing fraud in the digital age.

Technical analysis

This fraudulent scam involves simple steps:

 

  • The services, promoted on Telegram, appear to make it remarkably simple for the end-user to scam unsuspecting victims by providing quite menial information via a Telegram chat window to the service.

 

Screenshot of the steps involved in attacking via SMS Ranger
Screenshot of the steps involved in attacking via SMS Ranger

 

  • The bot itself is being sold on a Telegram chat room that currently boasts more than 2000 members, getting its creators massive profits from selling monthly subscriptions to cybercrooks.

 

Screenshots of the sale of SMS Ranger on a telegram channel
Screenshots of the sale of SMS Ranger on a Telegram channel

 

  • Initially, the bot conversation starts with service renewal by the users and provides the option to select the language and voice. The bot offers variety modes of features which include:
    • Bank OTP mode (select any bank worldwide)
    • Apple/ Google Pay code mode
    • PayPal login mode
    • Account mode (to login to 2FA accounts)
    • Email mode (bypass email security)
    • Carrier mode (capture codes for sim-swapping)
    • Bankmore mode (enhanced banking mode)
    • Credential mode (capture DOB/MMN/ and much more)

 

This bot also has a new feature of asking users the number of digits present in the OTP. This in turn helps to avoid the victim from inputting a wrong OTP or none at all.

 

Screenshots of SMS Ranger chats
Screenshots of SMS Ranger chats