Authors: Shreya Talukdar and Bablu Kumar
Within the ever-evolving realm of cybersecurity, the surge in OTP bots and SMS senders wielded by threat actors presents an ongoing challenge that demands our attention. Cybercriminals are increasingly combining vishing techniques with OTP grabber services to amplify their malicious activities. Vishing, or voice phishing, involves manipulating individuals into divulging sensitive information over the phone. The human touch in vishing adds a convincing element to these attacks, making victims more likely to trust the caller. They employ sophisticated interactive voice response (IVR) systems, authentic voice recordings of real individuals, or even employ real-time calling methods that convincingly appear to originate from a trusted company. Through these tactics, users are skillfully manipulated into revealing their one-time passwords, typically delivered via text messages.
The significance of OTPs in the realm of online security cannot be overstated. A multitude of online services, including financial institutions, place heavy reliance on OTPs as the ultimate guard of verification. In certain scenarios, One Time Password or OTP stands as the only gateway to accessing one's account. This very reliance makes these services an enticing target for those wielding OTP bot services.
In the past, we have seen similar services such as SMS Bandits and SMSRanger being offered on underground forums and Telegram channels.
SMS Bandits emerged as an online service masterminded by a 20-year-old threat actor, aimed at orchestrating large-scale phishing campaigns through mobile text messages. The phishing messages ingeniously masqueraded as various entities, encompassing pandemic relief initiatives, PayPal, telecommunications giants, and governmental tax revenue agencies. The service was tied to another OTP grabber service named Otp[.]agency designed to help intercept one-time passwords needed to log in to various websites. Once the call is made, the phone call triggers the target to enter a one-time password, generated by their mobile app, into the system. This password is then covertly sent back to the scammer's user panel hosted on the OTP Agency website.
To highlight the utilization of well-established tactics like vishing as an initial point of attack and to illustrate how such techniques can be harnessed for malicious intent, we recently encountered a cyberattack on MGM Resorts on September 14, 2023. This incident is attributed to Scattered Spider, a group recognized for its expertise in social engineering. Employing vishing as their method of choice, the cybercriminals successfully obtained employee credentials, secured global admin privileges within Azure Tenant, exfiltrated data, and subsequently held numerous ESXi hypervisors hostage for a ransom. More details on this are added below.
One of the most recent such offerings is a service known as “SpoofMyAss.com” - a one-stop shop for end-to-end SMS-related phishing scams. The service is being offered with bold statements such as:
- Ability to make calls worldwide in over 30 languages.
- Pronounce the victim’s name, service details, and more.
- Ability to make anonymous calls
- Free bot template creation service with the help of Speech Synthesis Markup Language (SSML) code for more customization in audio responses.
This service (and all others mentioned in this post) assumes the threat actor already has the target’s login credentials through different means.
SpoofMyAss Empowers Cybercriminals with Advanced Vishing Capabilities
SpoofMyAss offers the escalation of OTP bots and SMS senders can significantly aid cybercriminals in orchestrating large-scale vishing (voice phishing) attacks. The following are the features provided by SpoofMyAss that indicates strongly performing vishing attacks :
- OTP Extraction: The primary purpose of this vishing service is to extract OTPs from victims. Vishers can employ various tactics, such as impersonating legitimate entities or creating urgent scenarios, to trick victims into revealing their One-Time Passwords.
- Global Calls in Multiple Languages: Threat actors can use this service to place calls to potential victims worldwide, utilizing a language that the victim is comfortable with or expecting.
- Personalization: The ability to pronounce the victim's name and service details adds a convincing human touch to the vishing call. Threat actors can use this feature to make the call seem more legitimate and trustworthy.
- Anonymous Calls: Threat actors can make anonymous calls, hiding their true identities and locations. This anonymity can make it more challenging for victims to trace the source of the call, increasing the likelihood of successful vishing.
- Bot Template Creation: By creating bots using SSML code, vishers can customize audio responses to suit their specific vishing scenarios. This customization allows for a more realistic and targeted approach when attempting to deceive victims.
Using these three main service features, vishers can further craft highly convincing vishing calls:
- Fast SMA: Vishers can rapidly create vishing calls using personalized templates. For instance, they can call a victim, use their name, and claim to be from a reputable organization like a bank, convincing the victim to provide their OTP.
- Stream SMA: Vishers can enhance the authenticity of vishing calls by using their own audio recordings, making the call seem even more legitimate and trustworthy.
- Transfere SMA: This service allows for anonymous calling with manipulated caller IDs and call forwarding options. Vishers can impersonate trusted entities and manipulate call routing, maintaining anonymity throughout the call and making it challenging for victims to trace the origin.
Services Offered by SpoofMyAss:
The user signup is free of charge on the portal. Additionally, it also offers USD 1 as a welcome balance to the user’s account—an enticing invitation to explore the diverse offerings of the platform.
The service primarily consists of two main sub-services:
- OTP Bot Spoofer
- SMS Sender
OTP Bot Spoofer
Per the advertisement, OTP Spoofer is an automated call service that can be used to grab OTPs of any length. The bot possesses the ability to facilitate global calls, fetch multiple OTPs, and communicate seamlessly in over 30 languages.
The service is offered in 3 categories:
- Fast SMA
- Stream SMA
- Transfere SMA (likely a typo made by the developer)
The first service is Fast SMA which is, as per the advertisement, fast and easy to use with the help of custom-made or pre-made SSML templates meaning it can be developed to utter the victim’s name and service details, adding a personalized touch to its functionality.
After the call is initiated, and the user is deceived into disclosing their OTP, it becomes visible on the attacker's screen in the following manner.
The second service provides threat actors with the ability to utilize their own audio recordings, which they can store in either MP3 or WAV formats. When these audio files are employed, they greatly enhance the overall authenticity of the calls. This heightened authenticity significantly boosts the probability of users being lured into sharing their One-Time Passwords (OTPs) during the call.
The final service allows anyone to make anonymous calls with manipulated caller IDs and call forwarding options, providing threat actors with opportunities for impersonation, fraudulent calls, and large-scale phishing campaigns. For Transfere SMA, when the victim answers the call, the system connects it to a phone number of the threat actor’s choice that has been specified on the panel. This functionality leads to anonymous calling. If the victim's country matches one of the designated country numbers available on panel, the call will be routed accordingly. Otherwise, it will appear as a US number. The system initiates a call to the victim, prompting them to pick up and hear a "wait please" message. Simultaneously, the system initiates a call to the threat actor (TA). Upon answering the call, TA will engage in conversation with the victim. The communication flows from the victim through Spoofmyass service and then to the TA. Importantly, the victim only sees the number associated with the service, maintaining anonymity and confidentiality throughout the call.
Threat actors can pose as trusted entities, like banks, to trick victims into revealing sensitive information, and they can use counterfeit caller IDs to deceive recipients into sharing personal data or visiting fake websites, ultimately leading to data theft and increased security risks.
Peeling Back the Curtain: Real-World Instances of How Threat Actors are Leveraging 'SpoofMyAss' for SMS Scams and Vishing
Insights from the MGM Resorts Incident
On September 14, 2023, MGM Resorts was reportedly hit by a cyberattack causing multiple systems to go offline. It’s believed that Scattered Spider, which specializes in social engineering, is responsible for the breach. The cybercriminal, after gathering employee information from social media, likely LinkedIn, impersonated the IT Help Desk of MGM Resorts. Using vishing techniques, the cybercriminals could gather credentials. The threat actors purportedly gained access to global admin privileges of Azure Tenant and performed data exfiltration and later locked down more than hundreds of ESXi hypervisors for ransom.
We've noted that threat actors frequently rely on well-established techniques when conducting cyberattacks. Consequently, these tried-and-true methods can be adopted by less-sophisticated, copycat threat actors, often with the help of services like SpoofMyAss.
Okta is a cloud-based identity and access management (IAM) platform that provides businesses and organizations with a secure and centralized way to manage user identities and access to various applications and services.
Vishing Tactic in Action
Banking Vishing Scam
In a banking vishing scam, threat actors often pose as bank representatives or officials. They typically use the following tactics:
- Caller ID Spoofing: The visher may use services like "spoofmyass" to manipulate their caller ID to make it appear as if the call is coming from the victim's bank.
- Urgent Situation: The visher creates a sense of urgency, claiming there is a security issue with the victim's account or unauthorized transactions. They insist that immediate action is required.
- Verification Request: To gain the victim's trust, the visher may ask the victim to verify their identity by providing personal information like their full name, date of birth, or even a one-time password (OTP).
- OTP Extraction: If the victim is tricked into sharing their OTP, the visher gains access to the victim's account and can perform unauthorized transactions
Tech Support Vishing Scam
In tech support vishing scams, attackers often target individuals with claims of technical issues on their computers or devices:
- Impersonation: The visher poses as a tech support agent from a well-known company (e.g., Microsoft or Apple) and informs the victim about a critical issue with their computer.
- Remote Access Request: To resolve the alleged issue, the visher asks the victim to grant them remote access to their device. This is usually done using software like TeamViewer.
- Payment Request: After gaining access to the victim's computer, the visher may claim that there is a fee for the service or that they need access to the victim's online banking to process a refund.
- Financial Fraud: The visher may manipulate the victim into making payments or transferring funds, resulting in financial loss for the victim.
Lottery Scam via SMS
In this SMS scam, victims receive a text message claiming they have won a substantial sum of money in a lottery. The message appears to be from a well-known lottery organization. The message typically contains a link or a phone number to claim the prize. Threat actors can use services like "spoofmyass" to send these SMS messages with convincing caller IDs.
- Deceptive Message: Victims receive a message stating they have won a lottery, creating excitement and curiosity.
- Instructions to Claim: The message provides instructions on how to claim the prize, which may include calling a specific number or visiting a website.
- Personal Information Request: Upon calling, victims are asked to provide personal information and, in some cases, an upfront payment for taxes or fees to release the prize.
Impersonation of Utility Company via Vishing
In this vishing scenario, threat actors impersonate a utility company, such as an electricity or gas provider. They often target businesses or individuals with the following tactics:
- Caller ID Manipulation: Using services like "spoofmyass," the visher makes the call appear as if it's coming from the legitimate utility company.
- Threat of Service Disruption: The visher claims there is an issue with the victim's account or an unpaid bill that needs immediate attention to avoid service disruption.
- Payment Request: To resolve the issue, the visher asks the victim to make a payment over the phone using a credit card or share sensitive banking information.
This service currently claims to be using 269 legitimate SMS gateways for sending text messages to unsuspecting users spanning diverse regions across the globe. Of these, there are 87 US-based and 13 India-based SMS gateways. For example:
A template is an SSML code that the SMA bot will read aloud when the attacker passes a call to grab an OTP code. The language of the bot and its speaking style is customizable after which voice testing can be done to ensure the voice type. The code can be edited to include dynamic information. For example, to address the caller by name ##cname## is used and for mentioning the bank name ##service## can be used. This allows the bot to personalize the message the attacker wants. Options like speaking rate, pitch type, and break time are also customizable. The template can be played, edited, or deleted as per the threat actor’s requirement.
Similarly, another template can be created after the victim enters an OTP as an ending message to sound more legitimate.
There are 4 services that are offered within the tool section
- SMS Filter
The number generator feature offers the capacity to efficiently produce phone numbers in large quantities, with the option to specify the desired quantity and even select the target country for number generation.
Through Human Intelligence (HUMINT) sources, we have discerned that this tool employs internally-developed algorithms for generating these numbers.
Number validator is used for ensuring that the numbers generated are accurate and it further checks for the country as well. We have not been able to verify whether these numbers are validated against some external sources.
The third service in the list is Detector which is a carrier detector. A mobile number carrier detector is a software or service designed to identify the mobile carrier or network operator associated with a given mobile phone number. This tool can be used to determine which telecommunications company provides service for a particular phone number. As per the claim, the service can identify the country and carrier associated with the phone number.
An SMS gateway filter is a mechanism or component within an SMS gateway system designed to filter and manage SMS (Short Message Service) messages. Its primary purpose is to control the flow of SMS messages and ensure that only legitimate, desired, and compliant messages are sent or received through the gateway.
List Manager is a feature where bulk numbers can be uploaded together to organize phone numbers effortlessly into lists, simplifying the process of sending SMS messages. It can also be used to review the phone number list and remove any undesired entries
SMA Unlimited SMS Sender
The text announces a significant update to an SMS sender service called "SPOOF MY ASS UNLIMITED SMS SENDER" which is now a private, subscription-based model. Key points of the update include:
- Private SMS Gateway: Subscribed users will have access to their private SMS gateway for better service quality and reliability.
- Monthly Subscription: Users need to subscribe for $300 per month to access the premium SMS service.
- Dedicated Sender ID: Subscribers can customize sender IDs for personalization and branding.
- Unlimited Sending: Subscribers can send unlimited SMS messages worldwide.
- One Subscriber, One Gateway: Each subscriber gets their private SMS gateway for exclusivity and performance.
- Activation Process: To activate the private SMS gateway, users should contact the administrator on Telegram for guidance.
Recent Updates on SpoofMyAss Service Panel
As per as their claim, these are the updates on version 2 (V2) of the service:
- Private SMS Gateway: Subscribed users will now have access to their private SMS gateway. As per the claim, this gateway will ensure the highest level of service quality and reliability.
- Monthly Subscription: To access this premium SMS service, users will need to subscribe on a monthly basis. The subscription fee is $300 per month.
- Dedicated Sender ID: Subscribers will have the flexibility to customize the sender ID for their messages, enhancing personalization and branding.
- Unlimited Sending: With subscription, users will have unlimited SMS sending capabilities, allowing them to reach recipients across the globe without limitations.
- One Subscriber, One Gateway: Each subscriber will have their private SMS gateway for one month, ensuring exclusivity and performance.
Ramifications of OTP SMS and OTP Call Grabber Services
The ramifications of such exploitation are profound. Cybercriminals, upon gaining access to a victim's online banking and other sensitive accounts, are equipped to perpetrate a wide array of fraudulent online transactions. However, the scope of threat posed by these services extends far beyond the mere capture of OTPs. These insidious tools are versatile, capable of wielding social engineering techniques, propagating malware or scams, and even inflicting harassment and extortion upon their targets.
OTP SMS and OTP call Grabber services portray serious consequences and present substantial risks for both individuals and organizations. Below are several examples of how these services may be exploited for malicious purposes:
Account Takeover: Malicious individuals can utilize OTP Grabber services to intercept OTPs transmitted via SMS or voice calls. Armed with these intercepted OTPs, they can illicitly enter the victim's accounts, encompassing email, social media, and financial accounts, effectively assuming control of said accounts. In a specific instance, an attacker employs an OTP Grabber service to intercept the OTP dispatched to a victim's mobile device during a login endeavor. Subsequently, leveraging the pilfered OTP, the attacker secures access to the victim's email account, housing sensitive personal and financial data.
Identity Theft: OTP Grabber services can be utilized for the illicit acquisition of OTPs used in identity verification across a range of online services. Subsequently, malicious actors can exploit these OTPs to assume the identity of the target, enabling the execution of fraudulent activities and potentially facilitating identity theft. In this process, a malevolent actor intercepts the OTP through an OTP Grabber service, enabling them to assume the persona of the legitimate user and execute unauthorized transactions with fraudulent intent.
Unauthorized Access: OTPs are often used for two-factor authentication (2FA) to provide an additional layer of security. Misuse of OTP Grabber services can bypass this security measure, enabling unauthorized access to sensitive systems or applications.
Financial Fraud: Access to OTPs can enable attackers to carry out financial fraud. They can make unauthorized transactions, transfer funds, or withdraw money from the victim's bank accounts or digital wallets.
Privacy Invasion: Intercepting OTPs is a breach of privacy, as it involves monitoring and accessing the victim's communication channels without consent. This invasion of privacy can cause emotional distress and anxiety for victims.
Simultaneous Authentication: OTP Grabber services can intercept OTPs in real-time, allowing attackers to authenticate themselves on the victim's behalf, making it difficult for the victim to notice or respond in time.
Account Hijacking: OTP Grabber services can lead to complete account hijacking, as attackers can change account passwords, security settings, and recovery information, locking the legitimate account owner out of their own accounts.
Propagation of Malware or Scams: Threat actors could use Fast SMA to automate calls promoting malware downloads or other fraudulent schemes. By customizing the call content to suit different targets, they can spread malicious software or perpetrate scams on a larger scale.
Harassment and Extortion: In some cases, threat actors might use this service for harassment or extortion. They can repeatedly send threatening or misleading calls to victims, demanding money or sensitive information in exchange for stopping the harassment.
It's important for individuals and organizations to be vigilant about safeguarding OTPs and implementing additional security measures, such as using authenticator apps or hardware tokens, to protect against OTP interception. Additionally, reporting any suspected misuse of OTP Grabber services to law enforcement or relevant authorities is crucial to combat these illegal activities.
Nipping in the Bud with CloudSEK’s Underground Module
CloudSEK’s deep and dark web monitoring platform scours thousands of sources across the deep and the dark web to identify fraud and targeted threats. The service gives analysts a single pane of glass to monitor dark web activities. In this particular case, if the banking-related credentials are being sold on the dark web, you will be directly notified so you can instantly take security measures and inform the affected users/clients.
Shoutouts and Reviews of SpoofMyAss Service Panel:
The reviews indicate that the service is getting traction on underground forums and threat actors have already started using it for nefarious purposes.