OTP Bots Take Social Engineering To New Level

Robots are powerful and they can be used for good or for bad. When they are good, they are very good. But when they are bad, they can be very bad.

Such is the case with new bots that are taking social engineering to a whole new level. They’re called OTP Bots and they are programmed to extract one time passwords from victims with zero human to human interaction.

These bots are are nothing more than sinister robocall bots that have been programmed to call unsuspecting victims and convince them to turn over one time passwords or SMS codes which can then be used by the end fraudsters to login and ramsack their accounts.

How It Works

The services, promoted on Telegram, appear to make it remarkably simple for the end user to scam unsuspecting victims by providing as little as two pieces of information via a Telegram chat window to the service.

The service will appeal to newbie scammers and fraudsters that haven’t developed good social engineering skills yet, or perhaps to scammers that are afraid to interact directly with the victim.

OTP Bots Promise Fast and Easy One Time Passcodes Without the Need to Sim Swap

OTP Bots is yet another Fraud for Hire service being sold on encrypted chat rooms such as Telegram. These services offer everything from professional refunding services to synthetic identity creation directly to end users and they’re making fraud far to easy for novice scammers to perpetrate.

With OTP Bot services users can capture SMS and OTP codes directly from Telegram by entering a target phone number. With a tap of a button, users will be supplied the passcodes direct from the victims without any interaction with the victim at all.

On their advertisements, this company claims that their service is fast and easy to use and that you can merely type a single command line from Telegram to activate a bot to extract one time passcodes from victims.

The service offers multiple packages which seem to be a combination of monthly fee to access the service, plus credits which are used for phone calls to victims.

And it’s not only geared to defraud banking victims but these services tout being able to get passcodes for PayPal, Apple, Google, email and many more.

The services are designed to sound exactly like agents and they even have realistic sounding hold music to make the whole experience more real to the victim.

Screenshots from these service show just how easy it is for users to gain access to passcodes. The bots do all of the work.

It’s hard to tell from the service how successful this bot based approach is but it is troubling that these Fraud for Hire services are sprouting up everywhere making it easier for newbie scammers and fraudsters to succeed.

Here is a video, demonstrating the interface apparently spoofing a call to a victim from NatWest.

Fraud Managers and Cyber professionals, be aware that these services are out there and threaten your customers and accounts.

I am Frank McKenna, a fraud expert from San Diego. The views and opinions expressed here are entirely my own and do not reflect those of Point Predictive.