Cybercriminals now using voice phishing & OTP grabbers to steal data & money
27 Sep 2023 13:28:56
According to a recent analysis released on Monday, fraudsters are increasingly combining 'vishing' tactics (voice phishing) with new OTP grabber services to intensify their malicious actions to steal data from unsuspecting people.
Vishing, according to the cybersecurity firm CloudSEK, entails tricking someone into divulging vital information over the phone.
The personal touch in vishing provides a convincing element to these attacks, increasing victims' faith in the caller. They use sophisticated interactive voice response (IVR) systems, authentic voice recordings of actual people, or even real-time calling methods that look to originate from a reputable organization, according to the researchers.
Users are masterfully tricked into providing their one-time passwords, which are often given via text messages, using similar approaches.
"Using vishing as their preferred method of attack, the cybercriminals successfully obtained employee credentials, secured global admin privileges within Azure Tenant, exfiltrated data, and then held numerous ESXi hypervisors hostage for ransom," said Shreya Talukdar, Global Threat Intelligence Analyst at CloudSEK.
The researchers recently identified a SpoofMyAss.com (SMA) advertising that provides the escalation of OTP bots and SMS senders, which may greatly assist hackers in the production of large-scale vishing assaults.
SpoofMyAss.com is a one-stop shop for end-to-end SMS-related phishing scams. The service is being offered with bold statements such as:
• Ability to make calls worldwide in over 30 languages.
• Pronounce the victim’s name, service details, and more.
• Ability to make anonymous calls
• Free bot template creation service with the help of Speech Synthesis Markup Language (SSML) code for more customization in audio responses.
Screenshot Courtesy : CloudSek
SpoofMyAss's features include OTP extraction, worldwide calls in different languages, personalization, anonymous calls, and Bot template building, which the researchers say clearly implies that vishing attacks are being performed.
"Using service features like Fast SMA, Stream SMA, and Transfere SMA, vishers can further craft highly convincing vishing calls," stated Bablu Kumar, Cyber Intelligence Analyst at CloudSEK.
SMA offers a free user signup as well as a $1 welcome balance to the user's account.
According to the study, its services are grouped into two primary categories: OTP Bot Spoofer and SMS Sender.
OTP Bot Spoofer, according to the advertisement, is a call service that may be used to get OTPs of any length.
The bot can conduct international calls, obtain numerous OTPs, and converse in over 30 languages, whilst the SMS Sender service promises to utilize 269 authentic SMS gateways to send text messages to unsuspecting people all over the world.
There are 87 SMS gateways situated in the United States and 13 in India.
Furthermore, the researchers indicated that the consequences of such exploitation are severe.
When cybercriminals acquire access to a victim's online banking and other sensitive accounts, they are able to conduct a wide range of fraudulent online transactions.
Vishing, according to the cybersecurity firm CloudSEK, entails tricking someone into divulging vital information over the phone.
The personal touch in vishing provides a convincing element to these attacks, increasing victims' faith in the caller. They use sophisticated interactive voice response (IVR) systems, authentic voice recordings of actual people, or even real-time calling methods that look to originate from a reputable organization, according to the researchers.
Users are masterfully tricked into providing their one-time passwords, which are often given via text messages, using similar approaches.
"Using vishing as their preferred method of attack, the cybercriminals successfully obtained employee credentials, secured global admin privileges within Azure Tenant, exfiltrated data, and then held numerous ESXi hypervisors hostage for ransom," said Shreya Talukdar, Global Threat Intelligence Analyst at CloudSEK.
The researchers recently identified a SpoofMyAss.com (SMA) advertising that provides the escalation of OTP bots and SMS senders, which may greatly assist hackers in the production of large-scale vishing assaults.
SpoofMyAss.com is a one-stop shop for end-to-end SMS-related phishing scams. The service is being offered with bold statements such as:
• Ability to make calls worldwide in over 30 languages.
• Pronounce the victim’s name, service details, and more.
• Ability to make anonymous calls
• Free bot template creation service with the help of Speech Synthesis Markup Language (SSML) code for more customization in audio responses.
Screenshot Courtesy : CloudSek
SpoofMyAss's features include OTP extraction, worldwide calls in different languages, personalization, anonymous calls, and Bot template building, which the researchers say clearly implies that vishing attacks are being performed.
"Using service features like Fast SMA, Stream SMA, and Transfere SMA, vishers can further craft highly convincing vishing calls," stated Bablu Kumar, Cyber Intelligence Analyst at CloudSEK.
SMA offers a free user signup as well as a $1 welcome balance to the user's account.
According to the study, its services are grouped into two primary categories: OTP Bot Spoofer and SMS Sender.
OTP Bot Spoofer, according to the advertisement, is a call service that may be used to get OTPs of any length.
The bot can conduct international calls, obtain numerous OTPs, and converse in over 30 languages, whilst the SMS Sender service promises to utilize 269 authentic SMS gateways to send text messages to unsuspecting people all over the world.
There are 87 SMS gateways situated in the United States and 13 in India.
Furthermore, the researchers indicated that the consequences of such exploitation are severe.
When cybercriminals acquire access to a victim's online banking and other sensitive accounts, they are able to conduct a wide range of fraudulent online transactions.