|Category: Adversary Intelligence||Industry: Finance and Banking||Country: Global||Source*: C3|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum, where a threat actor was advertising the upgraded version of the Generaly Bot Setup.
- Originally discovered in July 2022, Generaly is a Telegram OTP Bot capable of capturing OTP, Card CVV, pin codes, and recordings of the spoofed calls.
- The upgraded Generaly bot is designed to bypass authentication on payment gateway platforms like Google Pay, Samsung Pay, and Apple Pay.
- It is a major threat to the banking sector as it is capable of stealing card CVV and pin codes.
- To guarantee the legitimacy of the offering, the threat actor uses customer feedback and Telegram as a means to promote sales.
- Prior to the attack, the actor provides the victim’s PII to the bot (phone number is entered with /pp or /call prefixes).
- The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
- The reason for the call can range from anything like unauthorized activity on a bank account or on the online account portal.
- In case the call goes to voicemail, instead of a human target, the call is disconnected. (This is a new feature in the upgraded bot release).
- The threat actor then coaxes the victim to log in to the bank’s portal, to verify if the said incident <insert reason> happened.
- Authentication apps or similar mechanisms incorporated on websites, help to validate a legitimate session from said user.
- The bot then instructs the victim to press ‘1’ on their mobile phone. The same allows the OTP Bot to capture the OTP.
- The bot captures the credentials entered and the OTP from the victim gets exfiltrated.
- The same technique is used to steal CVV numbers and pin codes, from bank-issued credit/debit cards.
- The upgraded features of the bot are the inclusions of authentication bypass on the following payment gateway platforms:
- Samsung Pay
- Apple Pay
- Google Pay
- The above can be initiated by using the commands /samsung, /apple, and /google.
- However, before using any of the above-mentioned modes of payment, a threat actor needs information such as credit card and CVV numbers.
- Once this data is entered in the targeted payment app, it can be used for purchasing items on e-commerce sites.
- At checkout, having already entered the card details in the payment app, the appropriate command is executed.
- OTP is then generated in the Telegram channel, allowing the threat actor to complete the purchase.
- Three lease options, i.e daily, weekly, and monthly plans, are available for the bot.
- There is an option to purchase the bot outright for USD 350.
- Primary mode of purchase is via cryptocurrency using Coinbase as a payment platform.
- The seller of this OTP bot was spotted looking for a Python Plivo API developer to perhaps transfer the OTP bot to a stable environment. The bot has frequently experienced downtime and has been unable to deliver its services.
- The seller was also seen hiring affiliates who can generate Revolut VCC (Virtual Credit Cards). At the time of writing this Intelligence report, Revolut VCCs were not offered for sale in the online shop.
- The seller mentions that the bot is not very successful at stealing OTPs from Paypal and Venmo numbers as 80% of these numbers had marked the bot call as spam and they go straight to voicemail.
|Threat Actor Profiling|
|Active since||October 2020|
|Reputation||Medium (Few complaints and concerns on the forum).
|Point of Contact||The actor can be contacted via the following Telegram channels:
|Rating||C3 (C: Fairly reliable, 3: Possibly True)|
- #Traffic Light Protocol
- *Intelligence Source & Information Reliability
- Generaly OTP Bot Setup for MFA Bypass Affecting P2P Services - CloudSEK