Countering One-Time Password Bots

Dec 07, 2022

Multifactor authentication can stop the takeover of user accounts where login credentials have been compromised. It’s a critical security control, but one that threat actors are increasingly finding ways around with one-time password bots, or OTP bots. A recent large law enforcement action has taken out a major OTP operation, but other services unfortunately appear poised to replace it.

Intel 471 has been tracking OTP bots since they emerged in 2021. The bots allow less-sophisticated fraudsters who already have obtained login credentials to socially engineer victims into divulging their one-time passcodes and gaining access to financial accounts or other services. OTP bots go by names including Generaly, Brainshot, Apollo, OTP BOT, SMSRanger and SMS Buster.

The popularity of OTP bots was illustrated by a multi-country law enforcement operation in November targeting one called iSpoof. More than 140 people were arrested. But despite the large law enforcement action, OTP bots will remain a risk. OTP bots are difficult to detect, but there are techniques and methods that may help in identifying malicious campaigns.

OTP 1
iSpoof’s Telegram site

OTP Bots: Easier Than a SIM Swap

To recap the problem: Financial institutions usually require the entry of a one-time passcode after a customer has entered their login credentials. The code may be sent over SMS or generated by an authenticator app. Once authenticated, customers can access their accounts. For fraudsters, getting that code is the key. In 2021, criminal services offered OTP bots emerged that made stealing OTPs much faster and easier. The small applications, usually written in JavaScript, are integrated into Telegram and Discord. Subscriptions are sold with 24/7 support. A bot can be rented by the week for around $100 or for up to $400 a month.

Customers of the bot interact with it over those chat services. They input a victim’s number and what service provider they want to spoof, such as a financial service or government agency. Intel 471 has seen OTP bots that can spoof Apple Pay, Bank of America, Coinbase, Google, Google Pay, JP Morgan Chase, PayPal, Venmo and more. OTP bots sometimes have multi-language support, and languages covered include English, Chinese, English, French, German, Italian, Polish, Portuguese and Spanish.

Victims receive a call from a number that appears to be from that service provider but is actually spoofed. Victims hear a recording that purports to be the legitimate service provider that asks them to enter their OTP. Once a victim supplies the code, it’s sent immediately to the fraudster over Telegram or Discord, and the account takeover can begin. Some OTP bots actually take it a step further and can use the credentials to automatically log into someone’s account.

OTP bots offer a potentially easier avenue to get one-time passcodes as opposed to SIM swapping or number porting. In a SIM swap, an attacker convinces a mobile operator to re-issue a SIM card with someone else’s number or to port a victim’s number to a SIM card they control. Once that occurs, OTPs sent over SMS will be received by an attacker. Executing a successful SIM swap or port, however, involves more steps than using an OTP bot, and telecommunication companies tend to have greater awareness of the risks around number porting.

OTP 2
An OTP bot called SMS Buster

iSpoof’s Staggering Scale of Fraud

Data released by law enforcement about iSpoof shows just how popular it was with fraudsters. iSpoof was created in December 2020 and ran on Telegram. Before it was shut down, police gained access to iSpoof’s servers and found the service had 59,000 user accounts.

The volume of calls and fraud was staggering. The Metropolitan Police’s cyber crime unit said that in the U.K. alone this year, 200,000 people received spoof phone calls from fraudsters using iSpoof, which pretended to be financial services such as Barclays, Santander, HSBC and others. The average loss from victims was £10,000 (US$12,200), and worldwide losses were estimated at more than £100 million.

The law enforcement operation against iSpoof isn’t over. Because police had access to its servers, police recovered the phone numbers of those who purchased iSpoof subscriptions with bitcoin. Incredibly, the number of iSpoof customers was so large that police initially only focused on iSpoof customers who spent more than £100 in bitcoin.

OTP 3
The U.K. Metropolitan Police left this message on iSpoof’s Telegram channel after seizing the service

As a warning to suspects not contacted yet, U.K. police did their own spoof of iSpoof’s promo video. They warned that the service was “now controlled by international law enforcement.” They also warned they had iSpoof customer email addresses, location data and more: “Use our service to tell worldwide police that you are a criminal. iSpoof has end-to-end encryption which is useless when police have access.”

OTP 4
U.K. police did their own spoof of iSpoof’s introductory video, warning its customers that it was now under control of law enforcement

Other successful law enforcement actions have focused on the payments side of OTP bots. The services are usually paid for in bitcoin, and analysis of bitcoin’s blockchain, the virtual currency’s public ledger of transactions, has lead to positive law enforcement outcomes.

The cryptocurrency platform Coinbase has had success tracking down OTP bot sellers and customers. At the RSA conference in August, two members of Coinbase’s global intelligence team explained how blockchain analysis lifted a veil on two operations. By inputting the payment address where a bot operator received bitcoin, Coinbase identified more than 100 of its own users who had sent payments to the bot operator. The operation also identified the person running the bot, who was arrested. In a second operation, Coinbase was able to use blockchain analysis to identify three people in Bangladesh, Pakistan and the U.K. allegedly running another OTP bot. All three were arrested.

Bots Abound

Although iSpoof is gone, Intel 471 has observed a continuing stream of new OTP bots appearing in the cybercrime underground. In November, six OTP bots were mentioned in underground cybercrime forums, and two were seen in October. Many of the OTP bots appear to be developed by single threat actors acting alone, and code from other OTP bots is often repurposed, so it is to be expected that copycat services will continually arise. Some OTP bots disappear only to reappear a few weeks later with a new name although the bot is not actually different.

Nonetheless, OTP bots are very effective. While iSpoof appeared to target mostly consumers, OTP bots could just as easily be directed at targeting corporate employees. Detection of OTP campaigns is difficult because an account takeover wouldn’t necessarily look different from any other account takeover attempt.

Monitoring for stolen credentials in underground markets could help. Those using OTP bots need to have login credentials in hand, which are often sourced from cybercriminal markets. It’s possible to monitor those markets and get alerts when sets of credentials for an organization are offered for sale, which can give an organization an alert of a possible uptick in account takeover attempts on the horizon. If fraud victims recount automated phone calls asking for an OTP, that could be a clue that an OTP bot campaign is underway. Device fingerprinting and geolocation can also detect suspicious logins, even if they can’t be traced to a specific OTP bot.

Beating OTP Bots

The best defenses come down to user education and if possible, strong authentication.

In theory, corporate users should be aware that an unsolicited automated call asking for an OTP is suspicious and should be ignored. For consumers, it’s confusing since some financial institutions do in fact send an OTP and ask for it during the course of authentication when a customer calls. But that occurs when a person makes a call to a financial institution rather than the other way around. The difference, however, may be lost on less-savvy customers, hence the unfortunate success of OTP bots.

Wider use of phishing-resistant strong authentication methods, such as security keys or methods using standards such as WebAuthn, which ties authentication to physical devices or biometric data, will eventually make OTP bots ineffective, as no OTP is required. That future is close, but not here just yet.