Executive Summary
The threat landscape is rapidly changing. Threat actors who traditionally bought and sold malware, login credentials, and sensitive information on markets found on TOR (The Onion Router) are increasingly moving off of the “dark web” and on to clear web sites and instant messaging platforms such as Discord and Telegram. In today’s threat spotlight we are going to dive into the world of illicit Telegram channels and specifically the rise of OTP (one time password) bots.
The Details
Why are Threat Actors moving off of the Dark Web?
To understand why threat actors are moving off of the dark web, it helps to initially understand why they chose to use TOR originally. TOR began as a product by the U.S. Naval Research Laboratory and like the internet, quickly grew far outside of its original intended purpose. TOR allows for nearly completely anonymized browsing and website hosting with URLs ending in .onion. Traffic is routed through nodes hosted globally, usually jumping between multiple nodes before arriving at the intended destination with traffic never leaving the network.
This provides for a high degree of anonymity but also results in incredibly slow speeds, with .onion pages often taking in excess of a minute to load. In addition, large file uploads and downloads can take days or even weeks depending on the size of the file. Information published to dark web markets and forums is also essentially permanent, given that dozens of security companies continuously monitor and archive the dark web in addition to government agencies around the world.
Social media messaging channels carry almost none of these drawbacks. They are made to be consumable, lightning fast, and when a channel is discovered to be infiltrated by law enforcement or security organizations, a new one can be created in seconds. We also believe that although data is archived it may feel more anonymous and less permanent than publishing files or information to the dark web, particularly since data can be set to automatically delete after a period of time.
What kind of Malicious Content can be Found on Clear Web/Instant Messaging Applications?
Almost anything that can be found on a traditional dark web marketplace can also be found on illicit instant messaging application channels. Bank accounts, stolen credentials, one-time password bots, forged checks, and even infected devices can be easily purchased through Telegram, with many marketplaces focused on making the transactions and use of stolen information as easy as possible. Today we are going to focus on the rise of OTP bots to bypass 2FA and MFA controls.
One Time Password Bots
One-time Password Bots (OTP bots) are essentially a method for threat actors to attempt to gather 2FA codes from victims at scale. A search across approximately 100 illicit Telegram chat rooms from the beginning of 2022 for the terms “OTP Bot” and “2FA Bot” returned more than 1700 results. For context, searching in the same chatrooms for “vbv” returns 2500 results, “fullz” returns 50,000, and “no2fa” gives 3300 results. Many of the results concerning OTP bots display activity as recent as within minutes of the query, confirming there is active demand and chatter about the service. In fact, malicious actors seem to often purchase access to bank account logins, and then inquire about OTP Bots’ availability in various fraud focused Telegram chat rooms.
The Anatomy of an OTP Bot
OTP Bots are designed and sold with specific organizations in mind. Once a threat actor has the login credentials to a bank, a corporate IT environment, or other service they can purchase an OTP bot which will send the victim a phishing voicemail/text which contains roughly the following message (customized to the account that threat actor is trying to break into):
“Hello, this is Scatterholt Global calling to verify your identity, we have just sent you a one time-passcode to your phone, please reply to our text with the password to confirm your identity”
The voice/text will be fully automated and typically the number will be spoofed to make it appear that the automated call is legitimately from the organization that they claim to be from.
Why this Matters for Security Teams
OTP bots are often used to facilitate personal financial fraud rather than corporate, but corporate attacks are another easy application of the technique that we have seen. It is not hard to envision a scenario in which a data breach exposes hundreds of corporate logins, which a threat actor then finds phone numbers from the victims using OSINT and leverages to solicit one-time passwords and bypass two-factor authentication controls. We’ve already seen this TTP used in the Cisco breach, and it is likely a similar method was used in the recent attack against Uber.
How Flare can Help
Flare automates monitoring across hundreds of illicit telegram channels including those where OTP bots are sold. Customers are empowered to enter an “identifier” (automated search term) and Flare will crawl dark web, clear web, and illicit communities found on instant messaging applications and return a prioritized list of instances where that search term has appeared. Flare enables companies to automate monitoring for:
- OTP Bots targeting their organization
- Infected Device Marketplaces
- Stolen Credentials
And dozens of other threats ranging from data leaks to secrets being leaked on Github. Request a demo for more information.
