Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label OTP. Show all posts
TRAI
Airtel Cyber Security Jio Mobile Network Network Security OTP SMS Telecommunication TRAI

India’s New SMS Traceability Rules to Combat Fraud Begin November 1, 2024

 

Beginning November 1, 2024, Indian telecom providers Airtel, Jio, and Vi will follow a new set of SMS traceability and monitoring guidelines mandated by the Telecom Regulatory Authority of India (TRAI). Aimed at combating cybercrime, these measures seek to enhance security by allowing users to block suspicious calls and messages effectively. By tracing SMS sources more accurately, telecom operators can swiftly identify and block fraudulent messages, improving the fight against scams and phishing attempts. 

Additionally, organizations sending promotional SMS, such as banks and e-commerce companies, must adhere to TRAI’s telemarketing standards, or risk their messages being blocked. This initiative aims to create a safer SMS ecosystem, giving users a clearer means to distinguish legitimate messages from scams. Yet, the vast volume of commercial messages sent in India—between 1.5 and 1.7 billion daily—makes it challenging to implement such a system seamlessly. With high-volume traffic, the infrastructure for monitoring requires robust capabilities to ensure message traceability without slowing down service for time-sensitive messages, especially for critical banking and transaction-related OTPs. Another layer of concern involves potential delays in urgent messages. 

These requirements could slow the delivery of essential communications, such as OTPs used in online banking. Telecoms are working to prevent this issue, as delays in these transactional messages could interrupt online financial processes. Balancing security and timely delivery is essential for TRAI and telecom providers, particularly for consumers who rely on timely OTPs and other immediate notifications. The Cellular Operators Association of India (COAI), which represents key telecom companies like Airtel, Jio, and Vodafone-Idea, has requested a two-month delay to facilitate a smoother transition. This extension would allow telecom operators additional time to set up necessary infrastructure and conduct thorough testing to avoid unintentional service disruptions. 

While TRAI maintains its commitment to the November deadline, telecom companies argue that extra preparation time could ensure reliable service delivery and a smoother rollout. Telecom providers have committed to ensuring user security remains intact while providing efficient service. TRAI’s objective is to foster a more secure digital communication environment where consumers feel protected against fraud and unauthorized data use. However, the effectiveness of these changes depends heavily on the ability of telecom companies to meet these new standards without compromising service quality. 

TRAI’s new SMS traceability requirements represent a meaningful step forward in enhancing consumer protection against digital scams. Despite logistical challenges, this initiative could make India’s messaging landscape safer, allowing consumers greater peace of mind. The success of this system depends on how effectively telecom providers can balance secure traceability with minimal disruption to essential services, paving the way for a digital space that prioritizes both security and efficiency.
Read more »
Privacy
Banks Cyberattacks CyberCrime Cyberhackers CyberThreat Digital Token OTP Passwords Privacy

Singapore Banks Phasing Out OTPs in Favor of Digital Tokens

 


It has been around two decades since Singapore started issuing one-time passwords (OTPs) to users to aid them in logging into bank accounts. However, the city-state is planning to ditch this method of authentication shortly. Over the next three months, major retail banks in Singapore are expected to phase out the use of one-time passwords (OTP) for account log-in by digital token users as part of their transition away from one-time passwords. 

With an activated digital token on their mobile device, customers will need to either use the token to sign in to their bank account through a browser or the mobile banking app on their mobile device. In a joint statement on Tuesday (Jul 9), the Monetary Authority of Singapore (MAS) and The Association of Banks (ABS) said that, while the digital token is designed to authenticate customers' logins, there will not be an OTP needed to prove identity, which scammers can steal or trick victims into disclosing. 

There is also a strong recommendation to activate digital tokens by those who haven't already done so, as this will greatly reduce the chance of having one's credentials stolen by unauthorized personnel. According to The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), within the next three months, major retail banks in Singapore will gradually phase out the use of One-Time Passwords (OTPs) to log into bank accounts by customers who are using digital tokens. 

By doing this, the banks hope to better protect their customers against phishing attacks - at the very least against scams in which scammers get their customers to divulge their OTPs. To secure bank accounts, MAS and ABS encourage the use of digital tokens - apps that run on smartphones and provide OTPs - as a source of second-factor authentication, as opposed to software programs that are installed on computers. 

There will be better protection for them against phishing scams since they have been among the top five scam types over the past year, with at least SGD 14.2 million being lost to these scams, as outlined in the Singapore Police Force Annual Scams and Cybercrime Brief 2023, which was released in January of this year. When customers activate their digital tokens on their mobile devices, they will have to use these tokens when logging in to their bank accounts through the browser or by using the mobile banking app on their mobile devices. 

With the help of the token, scammers will be unable to steal your OTP, which customers may be tricked into revealing, or steal non-public information about themselves that they will be asked to provide. To lower the chances of having identity credentials phished, MAS and ABS have urged customers who haven't activated their digital token to do so, so that they don't become a victim of identity theft. The use of One Time Passwords (OTPs) has been used since early 2000 as a multi-factor authentication option to strengthen the security of online transactions. 

Nevertheless, technological advancements and more sophisticated social engineering tactics have since made it possible for scammers to manipulate phishing requests for customers' OTPs with more ease, such as setting up fake bank websites that closely resemble real banks' websites and asking for the OTP from them. As a result of this latest step, the authentication process will be strengthened, and it will be harder for scammers to trick customers out of money and funds by fraudulently accessing their accounts using their mobile devices without explicit authorization. 

During the 2000s, one-time passwords were implemented as a means to enhance the security of online transactions to strengthen multi-factor authentication. MAS and ABS have both warned consumers to be cautious about phishing for their OTP as a result of technological improvements and increasingly sophisticated social engineering techniques. There have been several phishing scams in Singapore over the past year, with at least $14.2 million lost to these scams, according to records released by the Singapore Police Force earlier this month. 

It is expected that this latest measure will enhance authentication and will ensure that scammers will not be able to fraudulently access a customer's accounts and funds without the explicit permission of the customer using their mobile devices," they commented. According to ABS Director Ong-Ang Ai Boon, this measure may cause some inconveniences for some consumers, but it is essential to help prevent unscrupulous suppliers and protect customers in the long run. 

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced a collaborative effort to strengthen protections against digital banking scams. This initiative involves the gradual phasing out of One-Time Passwords (OTPs) for bank logins by customers utilizing digital tokens on their mobile devices. This rollout is anticipated to occur over the next three months. MAS, represented by Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), emphasized their ongoing commitment to safeguarding consumers through decisive action against fraudulent digital banking activities. 

The elimination of OTPs aims to bolster customer security by mitigating the risks associated with phishing attacks. Phishing scams have evolved alongside advancements in technology, enabling fraudsters to more effectively target customer OTPs. They often achieve this by creating deceptive websites that closely mimic legitimate banking platforms. ABS, represented by Director Ong-Ang Ai Boon, acknowledged that this measure might cause minor inconveniences. 

However, they firmly believe such steps are essential to prevent scams and ensure customer protection. MAS, through Ms. Loo, reaffirmed the significance of maintaining good cyber hygiene practices in conjunction with this latest initiative. Customers are urged to remain vigilant and safeguard their banking credentials at all times. MAS and ABS jointly urge customers who haven't activated their digital tokens to do so promptly. 

This action minimizes the vulnerability of their credentials to phishing attempts. By implementing this multifaceted approach, MAS and ABS aim to create a more secure digital banking environment for customers in Singapore.
Read more »
Vulnerabilities and Exploits
MFA online transactions OTP UPI Vulnerabilities and Exploits

Cybercriminals Target UPI Payments: How to Stay Safe

 



The Unified Payments Interface (UPI) has transformed the infrastructure of digital transactions in India, providing a fast, easy, and secure method for payments. However, its rapid adoption has also attracted the attention of cybercriminals. This article delves into the tactics used by fraudsters and the measures users can take to protect themselves.

Cybercriminals employ a variety of deceptive methods to exploit UPI users. Vishal Salvi, CEO of Quick Heal Technologies Ltd., explains that these criminals often impersonate familiar contacts or trusted services to trick users into making quick, unverified money transfers. One prevalent technique is phishing, where fraudsters send emails that appear to be from legitimate banks or UPI service providers, prompting users to reveal sensitive information.

Malware and spyware are also common tools in the cybercriminal's arsenal. These malicious programs can infiltrate devices to steal personal information, including UPI details, or even take control of the device to initiate unauthorised transactions. Social engineering tactics, where fraudsters pose as customer service representatives, are another method. They manipulate users into sharing confidential information by pretending to resolve a payment issue.

Protecting oneself from UPI payment fraud is crucial and can be achieved through vigilance and caution. Financial institutions have implemented multi-factor authentication (MFA) and financial literacy programs to enhance security, but users must also take proactive steps. It is essential never to share your UPI PIN or OTP with anyone. Always verify the authenticity of transactions and use official apps or websites. Ensuring a secure connection (https) before entering any information is another critical step. Regularly updating your app and enabling transaction alerts can help monitor for any suspicious activity.

In the event of a fraudulent transaction, immediate action is vital. The moment you suspect fraud, report the incident to your bank and the UPI platform. Blocking your account can prevent further unauthorised transactions. Filing a complaint with the bank's ombudsman, including all relevant details, and reporting the fraud to local cybercrime authorities are crucial steps. Quick and decisive actions can significantly increase the chances of recovering lost funds.

While UPI has revolutionised digital payments, users must remain vigilant against cyber threats. By following these safety measures and responding to any signs of fraud, users can enjoy the benefits of UPI while mminimising the risks.


Read more »
unauthorised access
Cyber Fraud Financial crime Financial Loss Information Technology Online fraud Online Scam OTP unauthorised access

E-Challan Fraud, Man Loses Rs 50,000 Despite Not Sharing Bank OTP

 

In a cautionary tale from Thane, a 41-year-old man, M.R. Bhosale, found himself embroiled in a sophisticated online scam after his father fell victim to a deceptive text message. The incident sheds light on the dangers of trusting unknown sources and underscores the importance of vigilance in the digital age. 

Bhosale's father, a diligent auto-rickshaw driver in Ghatkopar, received a seemingly official text message from the Panvel Traffic Police, notifying him of a traffic violation challan against his vehicle. The message directed him to settle the fine through a designated app called Vahan Parivahan, with a provided download link. Unbeknownst to him, the message was a clever ruse orchestrated by scammers to dupe unsuspecting victims. 

When Bhosale's father encountered difficulties downloading the app, he sought his son's help. Little did they know, their attempt to rectify the situation would lead to financial loss and distress. Upon downloading the app on his device, Bhosale encountered a barrage of One-Time Passwords (OTPs), signalling a red flag. Sensing trouble, he promptly uninstalled the app. 

However, the damage had been done. A subsequent check of his bank statement revealed unauthorized transactions totalling Rs 50,000. With resolve, Bhosale wasted no time in reporting the incident to the authorities. A formal complaint was filed, detailing the deceptive mobile number, fraudulent link, and unauthorized transactions. 

In response, the police initiated an investigation, invoking sections 66C and 66D of the Information Technology Act to pursue the perpetrators and recover the stolen funds. This unfortunate ordeal serves as a stark reminder of the prevalence of online scams and the importance of exercising caution in the digital realm. To avoid falling victim to similar schemes, users must remain vigilant and skeptical of unsolicited messages or unfamiliar apps. 

Blind trust in unknown sources can lead to devastating consequences, as Bhosale's family discovered firsthand. Furthermore, it is essential to verify the authenticity of communications from purported official sources and refrain from sharing personal or financial information without thorough verification. 

In an era where online scams abound, skepticism and diligence are paramount. As the investigation unfolds, Bhosale's story serves as a cautionary tale for all internet users. By staying informed, exercising caution, and seeking assistance when in doubt, individuals can protect themselves from falling prey to online scams.
Read more »
User Data
Aadhaar card Credit Card Digital Payment Finance Online Payments OTP Payment Apps Paytm Privacy Sensitive Information User Data

Paytm's Innovative ID-Based Checkout Solution

Paytm has made history by being the first payment gateway to provide retailers an alternative ID-based checkout solution. The way transactions are carried out in the world of digital payments is about to undergo a revolutionary change because of this ground-breaking innovation.

Traditional Internet transactions need a multi-step procedure that includes entering personal information, OTP verification, and payment confirmation. By enabling consumers to make payments using additional IDs like Aadhaar, PAN, or mobile numbers, Paytm's new system accelerates this procedure. This not only streamlines the checkout process but also improves security and lowers the possibility of mistakes.

The alternate ID-based checkout solution comes at a crucial time when the demand for seamless and secure online payments is higher than ever. With the surge in e-commerce activities, consumers seek faster and more convenient payment methods. Paytm's innovative approach addresses this need by eliminating the need for remembering complex passwords or digging through wallets for credit card information.

One of the major advantages of this system is its inclusivity. It caters to a wide range of users, including those who may need access to traditional banking services but possess valid alternate IDs. This democratization of online payments is a significant step towards financial inclusion.

Moreover, Paytm's solution is not limited to registered users. It includes a guest checkout option, allowing even first-time users to enjoy the benefits of this streamlined payment process. This opens up a whole new market of potential customers who may have been deterred by the complexity of conventional payment methods.

Security remains a paramount concern in the digital payment ecosystem, and Paytm has taken meticulous steps to ensure the safety of every transaction. The alternate ID-based system employs advanced encryption protocols and multi-factor authentication to safeguard sensitive information. This reassures both merchants and consumers that their data is protected.

Paytm's launch of the alternative ID-based checkout solution establishes a new benchmark for online payments as one of the fintech sector's innovators. The user experience is improved by this innovation, which also responds to the changing needs of a broad and expanding consumer base. Paytm is well-positioned to take the lead in determining the direction of future online transactions with its user-friendly approach and uncompromising dedication to security.

Read more »
Software
APK Cyber Security Cyberattack CyberCrime Cyberfraud OTP Software

Fraudsters Target Kolkatans With Message-Forwarding Software

 


As online financial transactions became simpler and easier to conduct, the number of fraudulent transactions involving digital financial transactions also increased. Taking advantage of the increased sophistication of the fraudsters does not seem to be a problem. Cybercriminals, especially those inexperienced with financial transactions, have slowly begun using other platforms to dupe naive and gullible people after phishing and lottery scams.

Another way fraudulent activity is being carried out by fraudsters is by sending links via text messages to Kolkatans who are being targeted by them. The links on the website are the ones that notify users that a substantial amount has been credited into the accounts of these players. 

The police said that if one clicks on such a link to claim the money, the entire amount of funds may be transferred from the victim's account to the fraudsters' account and they will not even require them to share any OTP as part of the fraud. 

The UPI platform is used for several fraud types. Neither of these is a result of UPI problems but rather a consequence of deceptions by criminals. 

Analysts call it APK fraud as victims are tricked into downloading APK files that compromise their phones. This is done by clicking links sent by fraudulent parties to download APK files.  

An APK file download will result in an SMS-forwarding application being installed on the device and it will divert all incoming text messages to another number, so the victim isn't alerted when the money is debited from his or her account because the SMS will be forwarded to another number. According to an officer at the Lalbazar cyber cell, an SMS alert isn't received by the victim. 

There is a new method of gaining remote access to the phones of their victims that has become a weapon of choice for fraudsters. According to the officer, the scammers are claiming in their fake message to have received a large amount credited to their gaming account. 

It was reported by the Calcutta Telegraph that some Calcuttans who have been contacted had received messages saying: "Hi 9830xxxxx9 (mobile number of the recipient), The transaction of Rs 96793 has been completed to your (the name of the online gaming app). "

According to the police, victims of fraud never realize how they were cheated because they had never given their personal identification number to anyone else before being duped. 

According to a senior police officer, unlike other fraud attacks that are sent from random phones and do not address the recipient directly, the messages sent as part of the APK scam target specific individuals and are customized to them. 

There was a time when text messages were sent randomly, but that has changed. There is one thing though, the officer said, that makes it look authentic and trustworthy to be sending these messages to someone, and that is the phone number of the person to whom the message is addressed. 

In the immediate aftermath of clicking the link in the message, the recipient will see two attachments appear on his or her screen.

If the first attachment is clicked, a screen-sharing application will be silently installed on the phone and will allow fraudsters to gain direct access to the phone. A second attachment, if clicked, triggers the installation of an SMS forwarding product in the person's phone so that if fraudsters are using this software to carry out transactions on our bank account, the person will not receive any text messages from their bank, the officer explained.

According to Assistant Commissioner Atul V., their top priority area is creating awareness among their officers about the APK fraud, which has been a major problem for some time. 

Moreover, a cyber expert told that the APK fraud program is designed to make it difficult for the police to track down the fraudsters through the link in the message if a victim reports such a matter to the authorities. This is because the link in the message is active for a short period. 

Several people have been scammed in this way by sending text messages with spurious links. The sender then asks them to click on the link. A browser on the computer after a certain period will only be redirected to a popular search engine if you click on the link after that time. This means that the links remain active for only a few hours, if that long, then even the law-enforcement agencies will have no way to track the APK files or the transactions that have taken place after that explained a cyber expert in Kolkata.
Read more »
Technology
Cryptography One-Time Program OTP Research Technology

OTPs: Researchers Rekindle One-Time Program Cryptographic Concept


Technological advances over the past decade have made it possible for academics to make progress in designing so-called OTP (one-time programs). OTPs were initially proposed by researchers Goldwasser, Kalai, and Rothblum. 

OTPs, originally presented at the Crypto’08 conference were described as a type of cryptographically obfuscated computer program that can only be run once. This significant property makes them useful for numerous applications. 

The basic concept is that "Alice" could send "Bob" a computer program that was encrypted in a way that: 

1. Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs. 

2. Bob can learn nothing about the secret program by running it. 

The run-only-once requirements encounter difficulties because it would be an easier task to install a run-once-only program on multiple virtual machines, trying different inputs on each one of them. Consequently, this would violate the entire premise of the technology. 

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob. No such tokens were ever made, so the whole idea has lain dormant for more than a decade.  

OTP revived: 

Recently, a team of computer scientists from Johns Hopkins University and NTT Research have established the basis of how it might be possible to create one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services. 

They have hacked ‘counter lockbox’ technology and utilized the same for an unintended purpose. Counter lockboxes secure an encryption key under a user-specified password, administering a limited number of incorrect password guesses (usually 10) before having the protected information erased. 

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to deceive the system – the focus of the research. 

Garbled circuits: 

The research works show how multiple counter lockboxes might be linked together in order to form ‘garbled circuits’, i.e. a construction that might be utilized to build OTPs. 

A paper illustrating this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography Conference (TCC 2022). 

Hardware-route discounted: 

One alternative means of constructing one-time programs, considered in the research, is using tamper-proof hardware, although it would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Mathew, a professor at Johns Hopkins University and one of the co-authors of the paper. 

“This would be costly and worse, [and] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” explains Green. 

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome. 

A bastion against brute-force attacks: 

Harry Eldridge, from Johns Hopkins University, lead author of the paper, told The Daily Swig that one-time programs could have multiple uses. 

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords […] For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.” Eldridge explained. “However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords [such as a four-digit PIN] can actually be pretty secure.”

Furthermore, this could as well be applied to other forms of authentication – for instance, if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan. 

‘Autonomous’ Ransomware Risk

One of the drawbacks led via the approach is that threat actors might utilize the technique to develop ‘autonomous’ ransomware. 

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs, however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.” 

Although, the feedback on the work so far has been “generally positive”, according to Eldridge. “[Most agree] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high. There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.” 

Read more »
OTP
Adobe APT BitRAT Dark Web malware OTP

Esca RAT Spyware Actively Employed Cybercriminals

Escanor is a new RAT (Remote Administration Tool) that was promoted on the Dark Web and Telegram, as per Resecurity, a cybersecurity firm based in Los Angeles that protects Fortune 500 companies globally. 

The threat actors provide versions of the RAT for Android and PC, as well as an HVNC module and an exploit builder to turn Microsoft Office and Adobe PDF files into weapons for spreading malicious code. 

The tool was first publicly available for purchase on January 26th of this year as a small HVNC implant that allowed for the establishment of a stealthy remote connection to the victim's machine. Later, the kit evolved into a full-scale, commercial RAT with a robust feature set. 

Over 28,000 people have joined Escanor's Telegram channel, which has a solid reputation on the Dark Web. Previous 'cracked' releases by the actor going by the same name included Venom RAT, 888 RAT, and Pandora HVNC, which were probably utilized to enhance Escanor's capability further.

According to reports, cybercriminals actively employ the malware known as Esca RAT, a mobile variant of Escanor, to attack users of online banks by intercepting one-time password (OTP) credentials.

The warning states that the tool "may be used to gather the victim's GPS locations, watch keystrokes, turn on hidden cameras, and browse files on the distant mobile devices to steal data."

Escanor Exploit Builder has been used to deliver the vast majority of samples that have lately been discovered. Decoy documents that look like bills and notices from well-known internet providers are utilized by hackers.

Resecurity also advised that the website address 'escanor[.]live' has earlier been linked to Arid Viper, a group that was active in the Middle East in 2015.

APT C-23 is also known as Arid Viper. Espionage and information theft are this threat actor's primary goals, which have been attributed to malevolent actors with political motivations for the freedom of Palestine. Although Arid Viper is not a particularly technologically advanced actor, it is known to target desktop and mobile platforms, including Apple iOS. 

Their primary malware, Micropsia, is surrounded by Delphi packers and compilers in their toolset. This implant has also been converted to various platforms, including an Android version and versions built on Python.

The majority of Escanor patients have been located in the United States, Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with a few infections also occurring in South-East Asia.




Read more »
Telegram
Bank Bank Hacking Bots Cyber Security OTP OTP Theft Telegram

Analysts Warn of Telegram Powered Bots Stealing Bank OTPs

 

In the past few years, two-factor verification is one of the simplest ways for users to safeguard their accounts. It has now become a major target for threat actors. As per Intel 471, a cybersecurity firm, it has observed a rise in services that allow threat actors to hack OTP (one time password) tokens. Intel 471 saw all these services since June which operate via a Telegram bot or provide assistance to customers via a Telegram channel. Through these assistance channels, users mostly share their feats while using this bot and often walk away thousand dollars from target accounts. 

Recently, threat actors have been providing access to services that call victims, which on the surface, looks like a genuine call from a bank and then fool victims into providing an OTP or other authentication code into a smartphone to steal and give the codes to the provider. Few services also attack other famous financial services or social media platforms, giving SIM swapping and e-mail phishing services. According to experts, a bot known as SMSRanger, is very easy to use. With one slash command, a user can enable various modes and scripts targeted towards banks and payment apps like Google Pay, Apple Pay, PayPal, or a wireless carrier. 

When the victim's phone number has been entered, the rest of the work is carried out by the bot, allowing access to the victim's account that has been attacked. The bot's success rate is around 80%, given the victims respond to the call and provides correct information. BloodOTPBot, a bot similar to SMSRanger sends the user a fake OTP code via message. In this case, the hacker has to spoof the target's phone number and appear like a company or bank agent. After this, the bot tries to get the authentication code with the help of social engineering tricks. 

The bot sends the code to the operator after the target receives the OTP and types it on the phone keyboard. A third bot, known as SMS buster, however, requires more effort from the attacker for retrieving out information. The bot has a feature where it fakes a call to make it look like a real call from a bank, and allows hackers to contact from any phone number. The hacker could follow a script to fake the victim into giving personal details like ATM pin, CVV, and OTP.
Read more »
SMS
Credit Card Fraud Cyber Fraud Hackers OTP Singapore SMS

Hackers Impersonate Bank Customers and Make $500k in Fraudulent Credit Card Payments

 

Hackers from other countries were able to impersonate 75 bank clients and made $500,000 in fraudulent credit card payments. This was accomplished using a clever way of intercepting one-time passwords (OTPs) sent by banks via SMS text messages. In a joint statement released on Wednesday, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the Singapore Police Force detailed how hackers redirected SMS OTPs from banks to foreign mobile networks systems. 

The SMS diversion method, they said, “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”. Last year's fraudulent transactions took place between September and December. The bank clients claimed that they did not initiate the transactions and that they did not get the SMS OTPs that were required to complete them. 

According to Mr. Wong, the MAS' deputy chairman, the Monetary Authority of Singapore (MAS) would engage with financial institutions to fine-tune the existing framework on fraudulent payment transactions, which covers the responsibilities and liabilities of banks and customers in such instances. 

Between September last year and February, the police received 89 reports of fraudulent card transactions using SMS one-time passwords (OTPs), according to Mr. Wong. Ms. Yeo Wan Ling (Pasir-Ris Punggol GRC) had inquired if bank-related cyber frauds had increased in the previous six months.

"While these cases represent less than 0.1 percent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, it is nevertheless concerning," Mr. Wong said. 

Singapore's financial and telecommunications networks have not been hacked, according to the authorities. Affected customers who took efforts to safeguard their credentials would not be charged for any of the fraudulent transactions as a gesture of goodwill from the banks, according to the authorities. The names of the banks involved were kept under wraps. 

The cybercriminals utilized this method to get the victims' credit card information and mobile phone numbers in this incident. They also got into the networks of international telecoms and exploited them to alter the location information of the Singapore victims' mobile phones. 

By doing so, the hackers deceived Singapore telecom networks into believing that Singapore phone numbers were roaming overseas on the networks of other countries. The hackers subsequently made fraudulent online card payments using the victims' stolen credit card information.

As a result, when banks issued SMS OTPs to victims to authenticate transactions, the criminals were able to reroute these text messages to foreign mobile network systems. The fraudulent card payments were subsequently completed using the stolen OTPs. This corresponds to the victims' claims that they did not get the OTPs.
Read more »
Telegram
Bot Cyber Fraud OTP RoboCalling Scam Social Engineering Tools Telegram

New Robocall Bot on Telegram can Trick Targets Into Giving Up Their Password

 

Researchers at CyberNews have identified a new form of automated social engineering tool that can harvest one-time passwords (OTPs) from users in the United States, the United Kingdom, and Canada. 

Without any direct connection with the victim, the so-called OTP Bot may mislead victims into providing criminals credentials to their bank accounts, email, and other internet services. It's exhausting for a probable victim to listen to someone try to scam them blind by taking advantage of their generosity. 

As a new type of bot-for-hire is conquering the field of social engineering, OTP Bot, the latest form of malicious Telegram bot that uses robocalls to trick unsuspecting victims into handing over their one-time passwords, which fraudsters then use to login and empty their bank accounts. Even worse, the newfangled bot's userbase has exploded in recent weeks, with tens of thousands of people signing up. 

How Does OTP Bot Works?

OTP Bot is the latest example of the emerging Crimeware-as-a-Service model, where cybercriminals rent out destructive tools and services to anybody ready to pay, according to CyberNews expert Martynas Vareikis. After being purchased, OTP Bot enables the users to collect one-time passwords from innocent people by simply typing the target's phone number, as well as any extra information obtained via data leaks or the black market, into the bot's Telegram chat window. 

“Depending on the service the threat actor wishes to exploit, this additional information could include as little as the victim’s email address,” says Vareikis. The bot is being marketed on a Telegram chat channel with over 6,000 users, allowing its owners to make a lot of money by selling monthly memberships to cybercriminals. Meanwhile, its users brag about their five-figure profits from robbing their targets' bank accounts. 

Bot-for-hire services, according to Jason Kent, a hacker in residence at Cequence Security, have already commoditized the automated threat industry, making it very easy for criminals to enter into social engineering. 

Kent told CyberNew, “At one time, a threat actor would need to know where to find bot resources, how to cobble them together with scripts, IP addresses, and credentials. Now, a few web searches will uncover full Bot-as-a-Service offerings where I need only pay a fee to use a bot. It’s a Bots-for-anyone landscape now and for security teams.” 

Gift cards make the scam go-round: 

Card linking is the most common scamming tactic used by OTP Bot subscribers. It comprises linking a victim's credit card to their mobile payment app account and then purchasing gift cards in real stores with it.

“Credit card linking is a favorite among scammers because stolen phone numbers and credit card information are relatively easy to come by on the black market,” reckons Vareikis. 

“With that data in hand, a threat actor can choose an available social engineering script from the chat menu and simply feed the victim’s information to OTP Bot.” 

The bot also contacts the victim's number, acting as a support representative, and tries to mislead them into giving their one-time password, which is necessary to log in to the victim's Apple Pay or Google Pay account, using a fake caller ID. The threat actor can then link the victim's credit card to the payment app and go on a gift card buying spree in a nearby physical store after logging in with the stolen one-time password. 

Scammers use linked credit cards to buy prepaid gifts for one simple reason as they leave no financial footprints. This is particularly useful during a pandemic, when mask regulations are in effect in almost all interior areas, making it considerably simpler for criminals to conceal their identities throughout the process. 

Since its release on Telegram in April, the service looks to be gaining a lot of momentum, especially in the last few weeks. The OTP Bot Telegram channel currently has 6,098 members, a massive 20 percent growth in just seven days. 

The simplicity of use and the bot-for-hire model, which allow unskilled or even first-time fraudsters to easily rob their victims with the least input and zero social contact, appear to be some of the reasons for the fast rise. In fact, some OTP Bot users blatantly broadcast their success tales in the Telegram conversation, flaunting to other members of the channel about their ill-gotten gains. 

Based on the popularity of OTP Bot, it's apparent that this new sort of automated social engineering tool will only gain more popularity. Indeed, it'll only be a matter of time until a slew of new knockoff services hit the market, attracting even more fraudsters looking to make a fast buck off unsuspecting victims. 

The creator of Spyic, Katherine Brown, warns that as more bots enter the market, the opportunities for social engineering and abuse will grow exponentially. “This year we’ve already seen bots emerge that automate attacks against political targets to drive public opinion,” says Brown. 

The growth of social engineering bots-for-hire is even more alarming, according to Dr. Alexios Mylonas, senior cybersecurity lecturer at the University of Hertfordshire, since the pandemic has put greater limitations on our social connections. 

“This is particularly true for those who are not security-savvy. Threat actors are known to use automation and online social engineering attacks, which enables them to optimize their operations, to achieve their goals and the CyberNews team has uncovered yet another instance of it,” Mylonas stated CyberNews. 

How to Recognize Social Engineering Scams?

Keeping all of this in mind, understanding how to detect a social engineering attempt is still critical for protecting money and personal information. Here's how to do it: 

1.Calls from unknown numbers should not be answered. 

2.Never give out personal information: Names, usernames, email addresses, passwords, PINs, and any other information that may be used to identify you fall into this category. 

3. Don’t fall into the trap: Scammers frequently use a false feeling of urgency to get targets to hand up their personal information. If someone is attempting to persuade the user to make a decision, they should hang up or say they will call back them later. Then dial the toll-free number for the firm they claim to represent. 

4.Don't trust caller ID: By mimicking names and phone numbers, scammers might impersonate a firm or someone from your contact list. 

Financial service companies, on the other hand, never call their clients to validate personal information. They will simply block the account if they detect suspicious behavior and expect the user to contact the firm through official means to fix the problem. As a result, be watchful, even if the caller ID on your phone screen appears to be legitimate.
Read more »
WhatsApp
Mobile Security OTP Scammers SMS two step verification WhatsApp

WhatsApp Hijack Scam, Here's All You Need To Know

 

By posing as a friend and asking for SMS security codes, scammers are continuing to target WhatsApp users and hijack their accounts. The con has been around for years, yet victims have continued to fall for it, with many sharing their stories on social media. Users should never give out their security codes to anyone, even if they appear to be a buddy, according to WhatsApp. 

If users receive six-digit WhatsApp codes that they did not expect, they should be concerned. When setting up a new account or signing in to an existing account on a new device, such codes are frequently seen. However, if the code is obtained unexpectedly (without the user's request), it could be a scammer attempting to gain access to your account. 

The fraudster would then send you a WhatsApp message asking for the code. The most essential thing to remember is not to share the code, as the message appears to be from a legitimate friend or family member in most circumstances, even though the account has already been hacked. 

One victim, Charlie, told the BBC, "I got a WhatsApp message from my good friend Michelle, stating she was locked out of her account. She stated she sent the access code to my phone instead of hers by accident and that I could just screenshot it and send it over." In actuality, Charlie had given the scammer the code to his own account. 

He told the BBC, "I guess I fell for it since we all know how annoying technology can be and I was eager to help. I didn't realise what had happened for a day." Charlie stated that he had deleted WhatsApp and would no longer use it. 

The hijacker can pretend to be you and send messages to your friends and family using a stolen account. They might act as if you're facing a financial emergency and beg your contacts for money. It also provides them with the phone numbers of your contacts, allowing them to try the six-digit code trick on fresh victims. By gaining access to your account, the fraudster will be able to see sensitive information in your group chats. 

WhatsApp advises users to be cautious and not reveal their One Time Password (OTP) or SMS security code to anybody, even friends and relatives. Citizens can also enable two-step verification for added security.
Read more »
User Security
Cyber Security Dark Web Hacker Hacking OTP User Security

OTP Generating Firm at a Risk, as Hacker Claims to have Sold its Sensitive Data

 

A hacker seems to sell confidential information that is claimed to have been robbed from an OTP firm. And this OTP firm perhaps has some of the most prominent technology and business giants on its customer's board list which includes Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter, etc. 

A one-time password ( OTP ), also called a one-time pin or dynamic password is a legitimate password on something like a computer system, or even on a digital device, for a single login or transaction. Besides, the very same hacker claims to also have real-time access to the company's OTP device. The InfoSec researcher, Rajshekar Rajaharia, however, didn’t agree with the hacker behind the identification of such a suspected breach. 

“The seller was active on the dark web forum for a long time claiming to sell live access to OTP and 2FA but from what we have seen there are some chances that the data might be old as we have found some clues that changes have been made with dates. Nevertheless, we are still investigating because data seems real otherwise,” stated Rajaharia. 

Rajaharia also provided sample information with confirmation of the presence of one-time codes and even if not all of them are currently available or legitimate, a purchaser might find valuable work throughout the platform and its policies. It offered 50GB of exfiltrated data, among several other details. The cost of access was reduced from $18,000 to $5,000 for the introductory mark. Though the name of the company is listed in the listing, for security purposes it is considered unethical to disclose it. 

Other details included in the selling package are PII, including SMS logs, mobile numbers, e-mail addresses, SMPP details, customer documentation, and much more. Since 2017, the data itself is comprehensive. The seller switched the listing from the dark web marketplace to Telegram, as per the latest revelation, where sales were continued, however, the number of buyers was unknown. Also, 10 million OTPs appear in the data packs. 

The company in conversation refused all data infringement charges by claiming that perhaps the systems were as stable as ever and it could not verify the authenticity of the alleged data. 

Also, the National Stock Exchange of India received a letter from them, which reads, “We would like to highlight that unverified posts and claims are being circulated about an alleged data breach at [company’s name retracted]. Based on the evidence we have seen thus far, it is not from any of our current systems, and therefore we cannot verify the authenticity of the alleged data breach.” 

However, the company stated that they were engaged with an expert in a third party to support them in its system audit, so it would be noticed and uprooted if there was a web shell in there.
Read more »
User Privacy
$16 Cyber Attacks OTP SMS Attack User Data User Privacy

In just $16, Hackers May Steal User Data Via SMS Attack

 

Smartphone users are facing a new confidentiality and security risk as text messaging services are currently misused to secretly divert text messages from users to hackers, for only Rs 1,160 (nearly $ 16), allowing cybercriminals to control two-factor codes or SMS. The unreachable cyber-attack on SMS redirecting firms is carried out in conjunction with workers from telecommunications companies. 

Though having every feasible thread, new technological changes take place every day to fight hackers and protect user data, and further their privacy. But here's a new attack that has been witnessed recently – to defraud one’s protection against OTP in every online transaction. This whole new attack allows hackers to redirect SMS connected to their systems by the victim's phone number. Through its exploiting services, hackers use business-driven text messaging management services to conduct the attack. In a manner, these attacks are also achievable, at least in the United States, due to the failure of the telecommunications industry, and hackers are at ease. 

"The method of attack, which has not been previously reported or demonstrated in detail, has implications for cybercrime, where criminals often take over target's phone numbers in order to harass them, drain their bank account, or otherwise tear through their digital lives," stated the report from Motherboard late on Monday, 15th of March. 

Joseph Cox, a reporter for the motherboard, was personally attacked and was not really aware of the attack on his cell phone number. The odd thing about the attack is that the hacker is available with just a $16 payment (Rs. 1,160). In the case of Cox, the company providing the services said that the attack was resolved but was not taken care of, for several others. Besides, some firms know the attack, still, CTIA, the commercial organization, is being blamed. 

These services not only allow the attacker to intercept incoming texts but also allow them to answer. Another hacking act frequently performed by hackers is the SMS redirect attack. SIM Swapping and SS7 have already been attacking many users. However, what is interesting about such attacks is that in a few instances the user learns about the exploit because the phone has no network. 

Therefore it’s better not to rely on SMS services to prevent this. Users should use Authenticator apps and log their email account to obtain OTPs, especially for bank-related OTPs. 

"It is better to use an app like Google Authenticator or Authy. Some password managers even have support for 2FA built-in, like 1Password or many of the other free managers we recommend," the report mentioned.
Read more »
senior citizens
aviation Cyber Fraud OTP senior citizens

Senior Citizens, the Victims of Airline Ticket Fraud

 

Think you've discovered a truly incredible deal when you see a last-minute aircraft ticket accessible simply for a small amount of the typical cost? Be cautious before you purchase, or you could end up with no ticket and losing your cash to crooks.

Crooks utilize falsely accessed, compromised, or hacked credit card details to purchase air tickets. They offer these tickets for sale at haggled costs through misleading sites that appear to be legitimate or social networking accounts that give off an impression of being for real travel services or agents. 

The criminal 'travel agents' request prompt installment, regularly with money, bank move, or virtual monetary currencies. After getting your installment, the criminal sends you the flight booking affirmation with their original purchase details erased. At times you will get multiple OTPs on your telephone, and on the off chance that you give the OTP to that phony agent, abundant measures of cash will be siphoned from your account. 

Kumar (name changed), a senior citizen, said in his police objection that he was attempting to book a flight ticket to Thiruvananthapuram via a mobile application. Despite the fact that he had wrapped up making the installment, he got an instant message saying that the fund transfer has not gone through. He later learned that a whopping total of Rs. 7 lakh had been siphoned from his account,  thereupon Kumar called the ticket booking firm's customer care number, they revealed to him that they couldn't restore the sum because of some technical glitch and requested Kumar to give details of a different bank account. At the moment, Kumar got a few OTPs of bank exchanges that occurred without his knowledge. 

Another case has come to light where a senior resident lost Rs 1 lakh in online fraud. A Delhi-based senior resident had booked an Air India ticket and wished to cancel it. He attempted to cancel the ticket on the web and couldn't succeed due to some error. The report that highlighted the incident, further added that when the elderly person reached the customer care number, he was given a different mobile number by the executive. When he called on that mobile number, the individual on the opposite side of the telephone figured out how to get his financial balance and Debit card details. During that time, he got three to four OTPs on his mobile which he shared with the individual. When the senior citizen disconnected the call, he received a message that Rs 1 lakh was debited from his account. 

It is assessed that the aircraft business misfortunes have arrived at near USD 1 billion every year, due to the deceitful online acquisition of flight tickets. These online exchanges are exceptionally lucrative for organized crime and are continually linked to even grave crimes including immigration, trafficking in human beings, drug sneaking, and terrorism.
Read more »
OTP
2FA. Alien Malware malware OTP

A new Malware that can intercept your OTP and bypass Two Factor Authentication


For most of our accounts be it Bank accounts or social media accounts, we rely on two-factor authentication and OTP (one time password); thinking it the most trustable and impenetrable security. But we ought to think again as a new android malware, "Alien" with its remote access threat tool can steal 2FA codes and OTP as well as sniff notifications.

Discovered by ThreatFabric, the Trojan Alien has been offered as a Malware-as-a-Service (MaaS) making rounds on underground hacking forums. Though this is not the first malware to access OTPs, Ceberus (malware gang with a similar code) has already been there and done that but Google's security found a way to detect and clean devises of Cerebus. Inspired and evolved from the same code, Alien has yet to be caught by a security server.

With the remote access feature, Alien can not only seize passwords and login credentials but also grant hackers access to the device to use the stolen passwords. Alien can also perform the following tasks: 

  • Overlay on another App 
  • Steal 2FA and OTP 
  • Read Notifications 
  • Collect Geo-location data 
  • Forward Calls 
  • Install other Apps 
  • Steal Contacts 
  • Provide access to the device 
  • Log Keyboard Input 
  • Send Messages 

This set of activities makes this malware highly dangerous and the device infected with it completely transparent to the hacker and to think it is offered as MaaS. The malware deploys TeamViewer and through it reads the devise's screen, notifications, harvest OTPs and other data - giving full reign of your device to the hacker to attempt fraud, steal money and data.

 How is it Spreading? 

According to ThreatFabric, the malware is transmitting via phishing emails and third-party applications. Researchers found that Alien was sporting fake logins for 226 android apps, some of them quite popular like Snapchat, Telegram, Facebook, Gmail, WhatsApp, etc. Many of them were banking and e-commerce apps, there's no surprise there! These banking apps were from Spain, Germany, the US, Italy, France, Poland, Australia, and the UK.
Read more »
Subscribe to: Posts (Atom)