Category: Adversary Intelligence	Industry: Finance and Banking	Region: Global	Source*: C3

Executive Summary

THREAT	IMPACT	MITIGATION
Generaly, a new OTP bot setup capable of capturing OTP, Card CVV, pin codes, and recordings of the spoofed calls. The bot has a dedicated Telegram channel to capture & display information.	Captured OTP can be used to bypass 2FA and gain complete access to bank accounts. P2P payment services like Cashapp and Paypal are affected.	Implement bot-detection technologies and algorithms. Verify the legitimacy of the caller before giving away vital information.

Analysis and Attribution

• CloudSEK’s contextual AI digital risk platform, XVigil, discovered a post where a threat actor was advertising a Telegram OTP Bot named Generaly.
• OTPs (one-time passwords) are widely regarded as a fool-proof security measure to guarantee authentication whether for authorizing a bank transfer or gaining access to your online accounts.

[caption id="attachment_20059" align="aligncenter" width="1635"] The crux of the threat actor’s services, advertised on the forum[/caption]  

• Another actor was observed offering a bot that could bypass accounts on Paypal, Amazon and in banking/payment sectors. (For more information refer to the Appendix)
• Generaly bot is designed to bypass authentication on payment gateway platforms like Venmo, Paypal, and Cashapp.
• Its use case can be extended to the banking sector with the stealing of card CVV and pin codes.

Modus Operandi

• Prior to the attack, the actor provides the victim’s PII to the bot (phone number is entered with /pp or /call prefixes).
• The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
• Telegram bots do not need a registered number, so the possibility of call traces and number lookups can be eliminated.
• The reason for the call can range from anything like unauthorized activity on a bank account or on the online account portal.
• The threat actor then coaxes the victim to log in to the bank’s portal, to verify if the said incident <insert reason> happened.
• Authentication apps or similar mechanisms incorporated on websites, help to validate a legitimate session from said user.
• The bot captures the credentials entered and the OTP from the victim gets exfiltrated.
• Once the OTP is secured, the attacker gains complete access to the compromised accounts.
• This access can be further leveraged for malicious purposes such as withdrawals and long-term access, etc.
• Similar technique is employed to steal CVV numbers and pin codes from bank-issued credit/debit cards.

Tactics, Techniques & Procedures

Adversary Infrastructure

• One of Telegram’s attractive offerings are bots that are used to communicate with humans. Many businesses make use of them to streamline customer needs.
• In this instance, bots are used by threat actors as infrastructure to conduct cybercrime by:
  • Capturing the OTP
  • Transmitting the OTP to the server side
• The bot comes with a number of predefined message templates that show the steps involved in the crime from the time the victim is first contacted until they hang up.
• An audio transcript of the call is also delivered to the attacker upon conclusion.

Tactics observed

• Social Engineering
• Stealing of OTP and other sensitive information (CVV number, card pin, etc).
• Use of dedicated infrastructure service on Telegram (subtag).

[caption id="attachment_20060" align="aligncenter" width="798"] Screenshot of the dedicated channel of the Generaly bot, on Telegram[/caption]  

Monetary Benefits

• Three lease options, i.e daily, weekly, and monthly plans, are available for the bot.
• There is an option to purchase the bot outright for USD 250,000.
• Primary mode of purchase is via cryptocurrency using Coinbase as a payment platform.
• Payments can also be made via other cryptocurrencies like Ethereum, Bitcoin, and Bitcoin Cash.
• Access to the bot is sent to the customer’s email address.

 

Threat Actor Activity & Rating

Threat Actor Profiling
Active since	October 2020
Reputation	High (Few complaints and concerns against them)
Current Status	Active
History	Seller of spammed credit cards and gift cards for popular brands like Dunkin’ Donuts & Amazon. They also sell logs sourced from information stealers. Provides tools and services for smishing attacks and OTP bypasses. Known for paying other actors for promoting their website’s products and offerings.
Target Countries	France, India, & USA
Point of Contact	SNOWXUP Telegram Channel (t[.]me/snowxup - 4,542 subscribers), SNOWXUP Online Store, Discord (1,622 members), SNOWXUP support channel (t[.]me/datasnow), Bot Telegram Channel (@GeneralyOTPbot)
Rating	C3 (C: Fairly reliable, 3: Possibly True)

 

SNOWXUP Online Store

The alleged domain is registered in Turkey and the table below contains its IP and server-related information.

IP Address	Name Servers
104.21.13.49	Austin.ns.cloudflare.com (United States)
172.67.154.161	Jean.ns.cloudflare.com (United States)

Impact and Mitigation

Impact	Mitigation
The OTP captured OTP by the bot can be missued to conduct withdrawals, maintain persistence, etc. The bot can be used to bypass 2FA mechanisms and to gain complete access to online/bank accounts.	Implement bot-detection technologies and algorithms. Create awareness against social engineering tactics. Ask the right questions and verify the legitimacy of the individual that is calling, before giving away vital or sensitive information.

References

• ^#Traffic Light Protocol
• *Intelligence Source & Information Reliability
• OTP Bot Setup Services offered on cybercrime forum - CloudSEK

Appendix

[caption id="attachment_20061" align="aligncenter" width="813"] An instance of the attack taking place[/caption]   [caption id="attachment_20062" align="aligncenter" width="543"] Core purposes of the Generaly bot[/caption]   [caption id="attachment_20063" align="aligncenter" width="1032"] Another instance of the OTP stealing attack taking place[/caption] [caption id="attachment_20064" align="aligncenter" width="1050"] Price descriptions for the sale of the OTP bot[/caption]   [caption id="attachment_20065" align="aligncenter" width="438"] Image of options to send purchased goods[/caption]   [caption id="attachment_20066" align="aligncenter" width="1264"] Payment methods that are offered to the customer while purchasing the bot[/caption]     [caption id="attachment_20067" align="aligncenter" width="390"] Profile specifics of the threat actor, SNOWXUP - on the underground forum[/caption]   [caption id="attachment_20068" align="aligncenter" width="1635"] Sponsored advertisements on other threat actor’s profile[/caption]   [caption id="attachment_20069" align="aligncenter" width="531"] SNOWXUP’s Telegram channel that advertises their services and offerings[/caption]   [caption id="attachment_20070" align="aligncenter" width="396"] Channel specifics of the threat actor’s shop on Telegram, SNOWXUP[/caption]   [caption id="attachment_20071" align="aligncenter" width="488"] Samples received by CloudSEK’s researchers’ source[/caption]   [caption id="attachment_20072" align="aligncenter" width="1437"] Domain registration information of snowxup.com suggests it to be a new website[/caption]   [caption id="attachment_20073" align="aligncenter" width="1039"] No transactions had taken place, on this BTC address, at the time of writing this report.[/caption]   (Source - https://www.blockchain.com/btc/address/39WE5wB4WUxbQSvE9DFjmRN7GgR2kMfoKD)