Upgraded Version of Generaly OTP Bot for MFA Bypass on Popular Payment Platforms

Upgraded version of Generaly OTP bot advertised on a cybercrime forum. The bot has a dedicated Telegram channel to capture & display information. Captured OTP can be used to bypass 2FA and gain complete access to bank accounts.
Updated on
April 19, 2023
Published on
September 30, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Finance and Banking Country: Global Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Upgraded version of Generaly OTP bot advertised on cybercrime forum.
  • The bot has a dedicated Telegram channel to capture & display information.
  • Captured OTP can be used to bypass 2FA and gain complete access to bank accounts.
  • Popular payment apps like Google Pay, Samsung Pay and Apple Pay are targeted.
  • Implement bot-detection technologies and algorithms.
  • Verify the legitimacy of the caller before giving away vital information.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum, where a threat actor was advertising the upgraded version of the Generaly Bot Setup.
  • Originally discovered in July 2022, Generaly is a Telegram OTP Bot capable of capturing OTP, Card CVV, pin codes, and recordings of the spoofed calls.
[caption id="attachment_20852" align="alignnone" width="1281"]The crux of the threat actor’s services, advertised on the forum The crux of the threat actor’s services, advertised on the forum[/caption]  

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The upgraded Generaly bot is designed to bypass authentication on payment gateway platforms like Google Pay, Samsung Pay, and Apple Pay.
  • It is a major threat to the banking sector as it is capable of stealing card CVV and pin codes.
  • To guarantee the legitimacy of the offering, the threat actor uses customer feedback and Telegram as a means to promote sales.
[caption id="attachment_20853" align="alignnone" width="469"]Core purpose of the Generaly bot Core purpose of the Generaly bot[/caption]  

Modus Operandi

The modus operandi of the upgraded version is very similar to the previous version with a few additional functionalities, as discussed below.
  • Prior to the attack, the actor provides the victim’s PII to the bot (phone number is entered with /pp or /call prefixes).
  • The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
  • The reason for the call can range from anything like unauthorized activity on a bank account or on the online account portal.
  • In case the call goes to voicemail, instead of a human target, the call is disconnected. (This is a new feature in the upgraded bot release).
  • The threat actor then coaxes the victim to log in to the bank’s portal, to verify if the said incident <insert reason> happened.
  • Authentication apps or similar mechanisms incorporated on websites, help to validate a legitimate session from said user.
  • The bot then instructs the victim to press ‘1’ on their mobile phone. The same allows the OTP Bot to capture the OTP.
  • The bot captures the credentials entered and the OTP from the victim gets exfiltrated.
  • The same technique is used to steal CVV numbers and pin codes, from bank-issued credit/debit cards.

Additional Functionality

  • The upgraded features of the bot are the inclusions of authentication bypass on the following payment gateway platforms:
    • Samsung Pay
    • Apple Pay
    • Google Pay
  • The above can be initiated by using the commands /samsung, /apple, and /google.
  • However, before using any of the above-mentioned modes of payment, a threat actor needs information such as credit card and CVV numbers.
  • Once this data is entered in the targeted payment app, it can be used for purchasing items on e-commerce sites.
  • At checkout, having already entered the card details in the payment app, the appropriate command is executed.
  • OTP is then generated in the Telegram channel, allowing the threat actor to complete the purchase.

Monetary Benefits

  • Three lease options, i.e daily, weekly, and monthly plans, are available for the bot.
  • There is an option to purchase the bot outright for USD 350.
  • Primary mode of purchase is via cryptocurrency using Coinbase as a payment platform.
[caption id="attachment_20854" align="alignnone" width="473"]The OTP bot that is advertised for sale on the threat actor’s website - as well as their pricing ranges The OTP bot that is advertised for sale on the threat actor’s website - as well as their pricing ranges[/caption]
Also read Generaly OTP Bot Setup for MFA Bypass Affecting P2P Services

Information from Cybercrime Forums

  • The seller of this OTP bot was spotted looking for a Python Plivo API developer to perhaps transfer the OTP bot to a stable environment. The bot has frequently experienced downtime and has been unable to deliver its services.
  • The seller was also seen hiring affiliates who can generate Revolut VCC (Virtual Credit Cards). At the time of writing this Intelligence report, Revolut VCCs were not offered for sale in the online shop.
  • The seller mentions that the bot is not very successful at stealing OTPs from Paypal and Venmo numbers as 80% of these numbers had marked the bot call as spam and they go straight to voicemail.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since October 2020
Reputation Medium (Few complaints and concerns on the forum).
  • The OTP Bypass service offered by the actor can be termed valid, given that there are no complaints against the service.
  • However, there were a few instances where the logs/combo lists offered by the threat actor were not up to par, or dysfunctional.
Current Status Active
History
  • Mostly deals with sales of logs, gift cards, private combo lists and afore-mentioned services, for monetary compensation.
  • Has an online store called Generaly.Shop, that sells cashout services targeting Venmo and Paypal.
  • The bot is advertised on multiple clearnet hacking forums.
  • The tools and products they offer on the forum can also be found on their Telegram channel, which can be joined by anyone.
Point of Contact The actor can be contacted via the following Telegram channels:
  • The shop’s channel (t[.]me/generalyotp - 801 subscribers)
  • The bot’s channel (t[.]me/GeneralyOTPBot)
  • Channel dedicated to vouches from satisfied customers (t[.]me/generalyvouchers)
Rating C3 (C: Fairly reliable, 3: Possibly True)

Impact and Mitigation

Impact Mitigation
  • The OTP captured by the bot can be misused to conduct withdrawals, maintain persistence, etc.
  • The bot can be used to bypass 2FA mechanisms and to gain complete access to online/bank accounts.
  • Bot-detection technologies and algorithms can be implemented to prevent instances of automated fraud.
  • Create awareness against social engineering tactics.
  • Ask the right questions and verify the legitimacy of the individual that is calling, before giving away vital or sensitive information.

References

Appendix

One instance of the OTP stealing attack taking place [caption id="attachment_20856" align="alignnone" width="1032"]Instance of the OTP stealing attack taking place Instance of the OTP stealing attack taking place[/caption]   [caption id="attachment_20857" align="alignnone" width="649"]An instance of the attack taking place An instance of the attack taking place[/caption]   [caption id="attachment_20858" align="alignnone" width="1189"]In this case, the bot senses that the call has gone to voicemail, instead of a real person answering the phone. The call is immediately disconnected In this case, the bot senses that the call has gone to voicemail, instead of a real person answering the phone. The call is immediately disconnected[/caption]   [caption id="attachment_20859" align="alignnone" width="1410"]Payment methods offered to the customer when proceeding with the transaction Payment methods offered to the customer when proceeding with the transaction[/caption]     [caption id="attachment_20860" align="alignnone" width="542"]Domain registration information of generally.shop.domain, suggesting that it is a new website Domain registration information of generally.shop.domain, suggesting that it is a new website[/caption]   [caption id="attachment_20861" align="alignnone" width="1411"]No transactions had taken place, on this BTC address, at the time of writing this report. (Source - https[:]//www[.]blockchain[.]com/btc/address/38bc5mwEMJLHEVzkv2smLNFNTjW2QoBPXC). The same observation was made while covering the original report on Generaly OTP Bot, though the BTC Address was different No transactions had taken place, on this BTC address, at the time of writing this report. (Source - https[:]//www[.]blockchain[.]com/btc/address/38bc5mwEMJLHEVzkv2smLNFNTjW2QoBPXC). The same observation was made while covering the original report on Generaly OTP Bot, though the BTC Address was different[/caption]  [caption id="attachment_20862" align="alignnone" width="660"]Telegram channel advertising their services and offerings Telegram channel advertising their services and offerings[/caption] [caption id="attachment_20863" align="alignnone" width="433"]Telegram channel that advertising their requirement for recruits Telegram channel that advertising their requirement for recruits[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations