|Category: Adversary Intelligence||Industry: Finance and Banking||Region: Global||Source*: C3|
- CloudSEK’s contextual AI digital risk platform, XVigil, discovered a post where a threat actor was advertising a Telegram OTP Bot named Generaly.
- OTPs (one-time passwords) are widely regarded as a fool-proof security measure to guarantee authentication whether for authorizing a bank transfer or gaining access to your online accounts.
- Another actor was observed offering a bot that could bypass accounts on Paypal, Amazon and in banking/payment sectors. (For more information refer to the Appendix)
- Generaly bot is designed to bypass authentication on payment gateway platforms like Venmo, Paypal, and Cashapp.
- Its use case can be extended to the banking sector with the stealing of card CVV and pin codes.
- Prior to the attack, the actor provides the victim’s PII to the bot (phone number is entered with /pp or /call prefixes).
- The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
- Telegram bots do not need a registered number, so the possibility of call traces and number lookups can be eliminated.
- The reason for the call can range from anything like unauthorized activity on a bank account or on the online account portal.
- The threat actor then coaxes the victim to log in to the bank’s portal, to verify if the said incident <insert reason> happened.
- Authentication apps or similar mechanisms incorporated on websites, help to validate a legitimate session from said user.
- The bot captures the credentials entered and the OTP from the victim gets exfiltrated.
- Once the OTP is secured, the attacker gains complete access to the compromised accounts.
- This access can be further leveraged for malicious purposes such as withdrawals and long-term access, etc.
- Similar technique is employed to steal CVV numbers and pin codes from bank-issued credit/debit cards.
- One of Telegram’s attractive offerings are bots that are used to communicate with humans. Many businesses make use of them to streamline customer needs.
- In this instance, bots are used by threat actors as infrastructure to conduct cybercrime by:
- Capturing the OTP
- Transmitting the OTP to the server side
- The bot comes with a number of predefined message templates that show the steps involved in the crime from the time the victim is first contacted until they hang up.
- An audio transcript of the call is also delivered to the attacker upon conclusion.
- Social Engineering
- Stealing of OTP and other sensitive information (CVV number, card pin, etc).
- Use of dedicated infrastructure service on Telegram (subtag).
- Three lease options, i.e daily, weekly, and monthly plans, are available for the bot.
- There is an option to purchase the bot outright for USD 250,000.
- Primary mode of purchase is via cryptocurrency using Coinbase as a payment platform.
- Payments can also be made via other cryptocurrencies like Ethereum, Bitcoin, and Bitcoin Cash.
- Access to the bot is sent to the customer’s email address.
|Threat Actor Profiling|
|Active since||October 2020|
|Reputation||High (Few complaints and concerns against them)|
|Target Countries||France, India, & USA|
|Point of Contact||SNOWXUP Telegram Channel (t[.]me/snowxup - 4,542 subscribers), SNOWXUP Online Store, Discord (1,622 members), SNOWXUP support channel (t[.]me/datasnow), Bot Telegram Channel (@GeneralyOTPbot)|
|Rating||C3 (C: Fairly reliable, 3: Possibly True)|
|IP Address||Name Servers|
|126.96.36.199||Austin.ns.cloudflare.com (United States)|
|188.8.131.52||Jean.ns.cloudflare.com (United States)|
- #Traffic Light Protocol
- *Intelligence Source & Information Reliability
- OTP Bot Setup Services offered on cybercrime forum - CloudSEK