OTP theft soars as 'vishing' tactics evolve, says cybersecurity study

Vishing (voice phishing) manipulates victims into revealing sensitive data via phone using personal touch, IVR systems, real voice recordings, and mimicking trusted companies

Representative image (photo: National Herald archives)
Representative image (photo: National Herald archives)


Cybersecurity researchers have discovered that cybercriminals are increasingly merging 'vishing' techniques (voice phishing) with new OTP grabber services to amplify their malicious activities, a new report said on Monday, 25 September.

According to the cybersecurity company CloudSEK, vishing involves manipulating individuals into revealing sensitive information over the phone.

The human touch in vishing adds a convincing element to these attacks, making victims more likely to trust the caller. They employ sophisticated interactive voice response (IVR) systems, authentic voice recordings of real individuals, or even deploy real-time calling methods that convincingly appear to originate from a trusted company, the researchers explained.

Using such tactics, users get skillfully manipulated into revealing their one-time passwords, typically delivered via text messages.

"Employing vishing as their method of choice, the cybercriminals successfully obtained employee credentials, secured global admin privileges within Azure Tenant, exfiltrated data, and subsequently held numerous ESXi hypervisors hostage for ransom," said Shreya Talukdar, Global Threat Intelligence Analyst at CloudSEK.

The researchers recently discovered a SpoofMyAss.com (SMA) advertisement that offers the escalation of OTP bots and SMS senders that can significantly aid cybercriminals in producing large-scale vishing attacks.

The features provided by SMA include OTP extraction, global calls in multiple languages, personalisation, anonymous calls, and Bot template creation, which the researchers believe strongly indicates to perform vishing attacks.

"Using service features like Fast SMA, Stream SMA, and Transfere SMA vishers can further craft highly convincing vishing calls,” said Bablu Kumar, Cyber Intelligence Analyst at CloudSEK.

SMA has a free-of-charge user signup and also offers $1 as a welcome balance to the user’s account.

Its services are divided into two main categories -- OTP Bot Spoofer and SMS Sender, the report mentioned.

According to the advertisement, OTP Bot Spoofer is a call service that can be used to obtain OTPs of any length.

The bot can make international calls, retrieve multiple OTPs, and communicate in over 30 languages, while the SMS Sender service claims to use 269 legitimate SMS gateways to send text messages to unsuspecting users in various regions around the world.

Of these, there are 87 US-based and 13 India-based SMS gateways.

Moreover, the researchers claimed that the ramifications of such exploitation are profound.

Cybercriminals upon gaining access to a victim's online banking and other sensitive accounts, are equipped to perform a wide array of fraudulent online transactions.

Follow us on: Facebook, Twitter, Google News, Instagram 

Join our official telegram channel (@nationalherald) and stay updated with the latest headlines