Upgraded Version of Generaly OTP Bot for MFA Bypass on Popular Payment Platforms

Summary

Upgraded version of Generaly OTP bot advertised on a cybercrime forum. The bot has a dedicated Telegram channel to capture & display information. Captured OTP can be used to bypass 2FA and gain complete access to bank accounts.
Category: Adversary Intelligence Industry: Finance and Banking Country: Global Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Upgraded version of Generaly OTP bot advertised on cybercrime forum.
  • The bot has a dedicated Telegram channel to capture & display information.
  • Captured OTP can be used to bypass 2FA and gain complete access to bank accounts.
  • Popular payment apps like Google Pay, Samsung Pay and Apple Pay are targeted.
  • Implement bot-detection technologies and algorithms.
  • Verify the legitimacy of the caller before giving away vital information.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum, where a threat actor was advertising the upgraded version of the Generaly Bot Setup.
  • Originally discovered in July 2022, Generaly is a Telegram OTP Bot capable of capturing OTP, Card CVV, pin codes, and recordings of the spoofed calls.
The crux of the threat actor’s services, advertised on the forum
The crux of the threat actor’s services, advertised on the forum
 

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The upgraded Generaly bot is designed to bypass authentication on payment gateway platforms like Google Pay, Samsung Pay, and Apple Pay.
  • It is a major threat to the banking sector as it is capable of stealing card CVV and pin codes.
  • To guarantee the legitimacy of the offering, the threat actor uses customer feedback and Telegram as a means to promote sales.
Core purpose of the Generaly bot
Core purpose of the Generaly bot
 

Modus Operandi

The modus operandi of the upgraded version is very similar to the previous version with a few additional functionalities, as discussed below.
  • Prior to the attack, the actor provides the victim’s PII to the bot (phone number is entered with /pp or /call prefixes).
  • The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
  • The reason for the call can range from anything like unauthorized activity on a bank account or on the online account portal.
  • In case the call goes to voicemail, instead of a human target, the call is disconnected. (This is a new feature in the upgraded bot release).
  • The threat actor then coaxes the victim to log in to the bank’s portal, to verify if the said incident <insert reason> happened.
  • Authentication apps or similar mechanisms incorporated on websites, help to validate a legitimate session from said user.
  • The bot then instructs the victim to press ‘1’ on their mobile phone. The same allows the OTP Bot to capture the OTP.
  • The bot captures the credentials entered and the OTP from the victim gets exfiltrated.
  • The same technique is used to steal CVV numbers and pin codes, from bank-issued credit/debit cards.

Additional Functionality

  • The upgraded features of the bot are the inclusions of authentication bypass on the following payment gateway platforms:
    • Samsung Pay
    • Apple Pay
    • Google Pay
  • The above can be initiated by using the commands /samsung, /apple, and /google.
  • However, before using any of the above-mentioned modes of payment, a threat actor needs information such as credit card and CVV numbers.
  • Once this data is entered in the targeted payment app, it can be used for purchasing items on e-commerce sites.
  • At checkout, having already entered the card details in the payment app, the appropriate command is executed.
  • OTP is then generated in the Telegram channel, allowing the threat actor to complete the purchase.

Monetary Benefits

  • Three lease options, i.e daily, weekly, and monthly plans, are available for the bot.
  • There is an option to purchase the bot outright for USD 350.
  • Primary mode of purchase is via cryptocurrency using Coinbase as a payment platform.
The OTP bot that is advertised for sale on the threat actor’s website - as well as their pricing ranges
The OTP bot that is advertised for sale on the threat actor’s website - as well as their pricing ranges
Also read Generaly OTP Bot Setup for MFA Bypass Affecting P2P Services

Information from Cybercrime Forums

  • The seller of this OTP bot was spotted looking for a Python Plivo API developer to perhaps transfer the OTP bot to a stable environment. The bot has frequently experienced downtime and has been unable to deliver its services.
  • The seller was also seen hiring affiliates who can generate Revolut VCC (Virtual Credit Cards). At the time of writing this Intelligence report, Revolut VCCs were not offered for sale in the online shop.
  • The seller mentions that the bot is not very successful at stealing OTPs from Paypal and Venmo numbers as 80% of these numbers had marked the bot call as spam and they go straight to voicemail.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since October 2020
Reputation Medium (Few complaints and concerns on the forum).
  • The OTP Bypass service offered by the actor can be termed valid, given that there are no complaints against the service.
  • However, there were a few instances where the logs/combo lists offered by the threat actor were not up to par, or dysfunctional.
Current Status Active
History
  • Mostly deals with sales of logs, gift cards, private combo lists and afore-mentioned services, for monetary compensation.
  • Has an online store called Generaly.Shop, that sells cashout services targeting Venmo and Paypal.
  • The bot is advertised on multiple clearnet hacking forums.
  • The tools and products they offer on the forum can also be found on their Telegram channel, which can be joined by anyone.
Point of Contact The actor can be contacted via the following Telegram channels:
  • The shop’s channel (t[.]me/generalyotp - 801 subscribers)
  • The bot’s channel (t[.]me/GeneralyOTPBot)
  • Channel dedicated to vouches from satisfied customers (t[.]me/generalyvouchers)
Rating C3 (C: Fairly reliable, 3: Possibly True)

Impact and Mitigation

Impact Mitigation
  • The OTP captured by the bot can be misused to conduct withdrawals, maintain persistence, etc.
  • The bot can be used to bypass 2FA mechanisms and to gain complete access to online/bank accounts.
  • Bot-detection technologies and algorithms can be implemented to prevent instances of automated fraud.
  • Create awareness against social engineering tactics.
  • Ask the right questions and verify the legitimacy of the individual that is calling, before giving away vital or sensitive information.

References

Appendix

One instance of the OTP stealing attack taking place
Instance of the OTP stealing attack taking place
Instance of the OTP stealing attack taking place
 
An instance of the attack taking place
An instance of the attack taking place
 
In this case, the bot senses that the call has gone to voicemail, instead of a real person answering the phone. The call is immediately disconnected
In this case, the bot senses that the call has gone to voicemail, instead of a real person answering the phone. The call is immediately disconnected
 
Payment methods offered to the customer when proceeding with the transaction
Payment methods offered to the customer when proceeding with the transaction
   
Domain registration information of generally.shop.domain, suggesting that it is a new website
Domain registration information of generally.shop.domain, suggesting that it is a new website
 
No transactions had taken place, on this BTC address, at the time of writing this report. (Source - https[:]//www[.]blockchain[.]com/btc/address/38bc5mwEMJLHEVzkv2smLNFNTjW2QoBPXC). The same observation was made while covering the original report on Generaly OTP Bot, though the BTC Address was different
No transactions had taken place, on this BTC address, at the time of writing this report. (Source - https[:]//www[.]blockchain[.]com/btc/address/38bc5mwEMJLHEVzkv2smLNFNTjW2QoBPXC). The same observation was made while covering the original report on Generaly OTP Bot, though the BTC Address was different
 
Telegram channel advertising their services and offerings
Telegram channel advertising their services and offerings
Telegram channel that advertising their requirement for recruits
Telegram channel that advertising their requirement for recruits
 

Table of Contents

Request an easy and customized demo for free