Advanced Automated Social Engineering Bots: The High Tide of Social Engineering Bots and the Scammers Riding Them

The COVID 19 outbreak has significantly changed the way we operate in our day-to-day lives. From the unprecedented shift to remote working, to the dependency on online outlets for the fulfillment of even our most basic needs, the internet has become both our boon and our bane. So, it should come as no surprise that the pandemic is marred with an uptick in sophisticated phishing email schemes by cybercriminals who are on a constant lookout for footholds to infiltrate a company or an organization.

Social Engineering – A manipulative bait or a good samaritan?

Social engineering is the formal name for the psychology of persuading and manipulating people into feeling a sense of urgency in taking a certain action. Think about advertisers convincing us to believe that a certain brand of jeans is cooler than the other. Or how massive public health campaigns remind you to get your shot. While this may seem like an innocent marketing trick or a simple awareness drive, in Cybersecurity, Social Engineering has a more sinister motive. Attackers often use all sorts of psychological tricks to lure their victims into opening dodgy emails, clicking suspicious links, handing over passwords, downloading sketchy attachments, and engaging in other unsafe behaviors that may ultimately lead to large scale ransomware attacks or data breaches.

Social engineering attacks are possibly one of the most dangerous forms of security and privacy attacks since they are technically oriented to psychological manipulation and have been growing in frequency with no end in sight. Recent reports have shown that 99% of cyber attacks use social engineering techniques to trick users into installing malware. So, it is important to educate yourself and your workforce on some key indicators of scams and frauds.

Sharing is not caring when it comes to cybersecurity

Social engineering has been one of the largest threats to an organization’s cybersecurity for some time. Scammers are becoming more clever and sophisticated in their attack methods. Several instances have occurred wherein people receive phone calls that appear to be from their bank. The caller sounds legitimate and provides a convincing reason for calling the customer. After comforting the victim with a false blanket of security, the victim is often tricked into giving away their personal and confidential data such as:

• One-Time-Password (OTP)
• Credit/ debit card number
• The card’s CVV number (Card Verification Value – 3 to 4 digit number printed on the flip side of the card)
• Expiry date
• Secure password
• ATM PIN
• Internet banking login ID and password and other personal information

With all such crucial information at hand, a fraudster can easily carry out illegal financial transactions using the victim’s name.

Automated cyber criminals

Manual fomite of such attacks is quite cumbersome since it requires a lot of human effort to collect the data, analyze, and convince the victim to share their OTP. But cybercriminals have chanced upon a lucrative solution to this problem. They have hopped upon advanced technology that scams using bots that are ultimately safe and steady for the attackers since there are no aftermath traces to be taken care of. This has understandably caused a surge in underground forums and markets with advertisements sales of  OTP/ SMS bots. We may call it an automated social engineering tool.

Bots are automated to do certain tasks and interactions, and can often run without human assistance. They take up a huge amount of the traffic on the internet, and there are both good and bad bots.

Good bots often crawl the internet to match our needs and requirements accordingly. Google bots, for instance, help catalog what’s online, so that our search results may be faster and more optimized. Chatbots on the other hand are a good substitute for customer services since they engage with the users to note and cater to them accordingly.

The bad or malevolent bots, on the other hand, can be programmed to break into users’ accounts and steal data, infect computers with dangerous viruses or malware, or perform incessant spamming which ultimately brings down the website. Cybercriminals use bad bots to take over a computer and link it to others to make a network of “zombie computers” called a botnet that can then launch large-scale cyber attacks, thereby blocking users from the internet altogether.

Analysis of forum advertisement

ASC (Asylum for real carders) is a China-based English cybercriminal forum that was launched in 2019. ASC initially started out as a small carding-based forum, but since 2021 has accumulated almost 16,116 members, a relatively large number for a platform that has been active. As a result, the site has more than 250 daily visitors and has 2022 threads. The most active section on ASC is the ‘Carding & Hacking’ Zone, which includes subforums relating to virtual carding, bank carding, cardable sites, hacking tools, payment systems, and tips for newbies on carding activity and methods. Some of the forum’s staff members appear to be particularly active in this section and have created a high proportion of its threads.

The forum added new sections such as VERIFIED MARKET and PREMIUM SECTION. Generally, such forums provide a black marketplace for cybercriminals to exchange malicious tools and services that facilitate all stages of cyber carding crime.

Bad bots – A wretched disguise 

SMS Ranger is an OTP & SMS capture bot that is capable of getting OTP & SMS codes from victims by impersonating a company or bank. These bots help to get OTP for logins, banks, credit cards, Apple Pay, and more. Traditional methods like SIM swapping for OTP codes are not required. These bots can capture any OTP/ 2FA codes as well as personal info. The service cost is based on the country and monthly subscription as mentioned in the platform:

• 1 month: USD 600
• 2 months: USD 1100
• 5 months: USD 2400
• Lifetime: USD 4000

The package includes unlimited calls to the US, Canada, or the UK. For all other countries, the service is available for USD 300.

The key features of this service are:

• Multiple modes to choose from (OTP for logins/ banks /credit cards/ Apple Pay, etc.)
• Unique text-to-speech each call (Male/Female voice)
• Multiple languages supported (English/French etc)
• Multiple countries supported (US / CA/ UK/ AUS/ FR/ RU/ IND)
• Constant updates every week

Users usually have to create an account and sign up or contact the service provider via Telegram to avail the bot service through these websites. Scammers generally collect personal information on the dark web or even on social media to sabotage even the most vigilant of people. On the other hand, card leaks from carding shops and data breaches give social engineers more personal information to exploit in a social engineering attack, thereby substantially catalyzing their chances of targeting individuals and committing fraud in the digital age.

Technical analysis

This fraudulent scam involves simple steps:

• The services, promoted on Telegram, appear to make it remarkably simple for the end-user to scam unsuspecting victims by providing quite menial information via a Telegram chat window to the service.

• The bot itself is being sold on a Telegram chat room that currently boasts more than 2000 members, getting its creators massive profits from selling monthly subscriptions to cybercrooks.

• Initially, the bot conversation starts with service renewal by the users and provides the option to select the language and voice. The bot offers variety modes of features which include:
  • Bank OTP mode (select any bank worldwide)
  • Apple/ Google Pay code mode
  • PayPal login mode
  • Account mode (to login to 2FA accounts)
  • Email mode (bypass email security)
  • Carrier mode (capture codes for sim-swapping)
  • Bankmore mode (enhanced banking mode)
  • Credential mode (capture DOB/MMN/ and much more)

This bot also has a new feature of asking users the number of digits present in the OTP. This in turn helps to avoid the victim from inputting a wrong OTP or none at all.

• Once installed, the OTP bot allows its operator to collect one-time passwords from unsuspecting victims by simply inserting the target’s phone number, as well as any other data obtained from data leaks or the black market, into the bot’s Telegram chat window. It dials the phone number after supplying the victim’s information, and then plays an audio file that sounds like
  https://www.youtube.com/watch?v=GNXhHAh67DQ(proof acquired by cybernews) or https://drive.google.com/file/d/1YE9XUWUgouvO_20UtsZnBzTiXz4Za8Xi/view?usp=sharing
  • By listening to the recorded call, it is relatively clear that the voice of the OTP bot was generated using a text-to-speech program. The call often seems too genuine to be ignored.
  • An insight scammer often relies upon the human tendency to perceive prerecorded messages and robot voices to be more trustworthy. These bots are nothing more than sinister robocall bots that have been programmed to call unsuspecting victims and convince them to turn over one-time passwords or SMS codes, which can then be used by fraudsters to log in and ransack their accounts.
  • In just a few minutes, the OTP bot manages to successfully capture the code.
  • Fraudulent credit card transactions are a favorite among fraudsters because stolen phone numbers and credit card information are relatively easy to obtain from the black market. The creators of the automated social engineering tool boast of being able to extract one-time passwords for Gmail, Coinbase, Bank of America, Chase, PayPal, etc.

   

  

  

   

  Safeguarding against such malicious techniques and scams

  • Never share personal information with anyone – This includes information such as names, user names, email addresses, passwords, PINs, or any other information that may be used to identify you. Bank representatives or robocalls never ask for such details from the customers.
  • Don’t answer calls from unknown numbers –  If you do and someone you don’t know starts asking you for personal information, hang up immediately.
  • Take it slow – Scammers often try to create a false sense of urgency in order to pressure you into giving up your information. If someone attempts to force you to make a decision, hang up or tell them you will call back later. Next, call the official number of the business they’re purporting to represent.
  • Don’t trust caller ID – Scammers can appear like a company or someone from your contact list by using fake names and phone numbers. Remember, financial service providers never call their customers to confirm their personal information. In case of suspicious activity, simply block the concerned account and expect the user to contact the company via official channels to resolve the issue. As such, always stay alert, even if the caller ID on your phone screen looks genuine.

   

  References

  • https://frankonfraud.com/fraud-trends/otp-bots-take-social-engineering-fraud-to-new-level/?__cf_chl_captcha_tk__=pmd_6cfe7546c5b5bb4762c7bf7c115432fb15886e35-1628059675-0-gqNtZGzNAvijcnBszQi6
  • https://www.businesstoday.in/latest/trends/story/is-your-otp-safe-here-is-how-hackers-are-redirecting-your-sms-290921-2021-03-16
  • https://cybernews.com/security/new-robocall-bot-on-telegram-can-trick-you-into-giving-up-your-password/
  • https://www.youtube.com/watch?v=GNXhHAh67DQ
  • https://www.zeebiz.com/personal-finance/news-what-is-vishing-scam-know-how-to-avoid-falling-victim-of-this-online-banking-fraud-101895
  • https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack