Telegram OTP scams targeting users; These 3 were caught stealing money

When it comes to defrauding people, OTP scams have been one of the classic techniques used by scammers for duping innocent internet users into providing access to their social media or messaging app accounts. More often than not, scammers have directed these OTP scams at WhatsApp users. But now it looks like things are changing as a new report indicates that scammers have now started targeting Telegram users with OTP scams as well. The reason why Telegram OTP scams are rising because of the massive surge in number of users that Telegram has seen recently onboarded, especially after the WhatsApp privacy controversy that made many people migrate to the former. For cybercriminals, The equation is simple - the greater the number of subscribers in app, the better the chances of hackers managing to steal their money.

Cyber security firm Intel471 has witnessed an uptick in services that allow attackers to intercept one-time password (OTP) tokens. All the services Intel471 has observed, which have been in operation since June, either operate via a Telegram bot or provide support for customers via a Telegram channel. In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts.

“Over the past few months, we've seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator,” Intel 471 wrote in a blog post.

How cybercriminals are using Telegram bots to steal money

Intel471 reports that many bots are being used for targeting users. One of them is known as SMSRanger. Those who pay for access can use the bot by entering commands similar to how bots are used on popular workforce collaboration tool Slack. A simple slash command allows a user to enable various “modes” — scripts aimed as various services — that can target specific banks, as well as Google Pay, Apple Pay, PayPal or a wireless carrier. Once a target's phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted.

Another bot known as BloodOTPbot also sends users fraudulent OTP codes via SMS. The bot requires an attacker to spoof the victim's phone number and impersonate a bank or company representative. The bot then would attempt to call the victim and use social engineering techniques to obtain a verification code. The operator would receive a notification from the bot during the call specifying when to request the OTP during the authentication process. The bot would text the code to the operator once the victim received the OTP and entered it on the phone's keyboard.

A third bot involved in carrying out Telegram OTP scams is known as SMS Buster. It requires a bit more effort from the malicious actor to obtain account information. It provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number. From there, an attacker could follow a script to track a victim into providing sensitive details such as an ATM PIN, CVV and OTP, which could then be sent to an individual's Telegram account. This bot can launch attacks in French and English.

Intel471 says that as of now, it has seen accounts illegally accessed at eight different Canadian-based banks.