The call came from PayPal’s fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer.
“In order to secure your account, please enter the code we have sent your mobile device now,” the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, “Thank you, your account has been secured and this request has been blocked.”
“Don’t worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up,” the voice said.
But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks.
Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim’s bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.
Motherboard asked someone called Kaneki selling one of these bots online to demo the capability by sending the automated call to a Motherboard reporter’s phone. After entering a code, Kaneki showed their bot had received the same code.
“The bot is great for people who don’t have social engineering skills,” OTPGOD777, another person advertising access to such a bot, told Motherboard in an online chat. Not everyone is “comfortable and persuasive on the phone you see.”
With these bots that cost a few hundred dollars, anyone can start getting around multi-factor authentication, a security measure that many members of the public may assume is largely secure. The bots' existence and increased popularity raises questions on whether online services need to offer more phishing-resistant forms of authentication to protect users.
To break into an account, a hacker will need a victim’s username or email address and password. They might source that from a previous data breach which contains credentials many people reuse across the internet. Or they could buy a set of “bank logs”—login details—from a spammer, OPTGOD777 said. But the victim may have multi-factor authentication enabled, which is where the bots come in.
Either on Telegram or Discord, the hacker enters their target’s phone number and the platform the hacker wants to break into. In the background, the bot then places the automated call to the target. Kaneki told Motherboard that the bots use sites similar to Twilio, a communications company for businesses that lets customers send messages and make calls, although Kaneki said not all of the bots use Twilio specifically.
“Twilio has been cracking down on OTP bots accounts,” they said. Cris Paden, director of corporate communications at Twilio, confirmed that Twilio is aware of OTP bots using its platform. He told Motherboard in an email that “we have a team in place who is well aware of and is actively monitoring this issue.”
“Once they become aware of an instance, they investigate immediately and take action, including shutting down the number and the account being used if need be,” Paden added.
Do you know anything else about OTP bots? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
When the bot places the automated call and asks the victim to enter a code they just received, the hacker will simultaneously trigger a legitimate code to be sent from the targeted platform to the victim’s phone. They may do this by entering the victim’s username and password on the site so the victim receives a login or authorization code. Although the script in the call may tell the victim that the code is for one purpose—perhaps blocking a cash transfer or protecting their account from unauthorized entry—in reality the hacker is using the code to enter the account themselves.
The bot then takes the victim’s inputted code, feeds it back to the bot’s interface, and the hacker can then use the code to login.
“Cyber criminals are constantly trying new ways to scam folks and this OTP/2FA code stealing bot is just another example of fraudsters getting creative. This would convince many unsuspecting victims to hand over their OTP/2FA codes and the scammer doesn't even need to be a skilled social engineer, they can simply use this bot to attempt account takeover,” Rachel Tobac, CEO and co-founder of cybersecurity firm SocialProof Security, told Motherboard in an email after reviewing the call audio.
Jessica Barker, co-founder of cybersecurity company Cygenta, told Motherboard in an online chat that “This use of OTP/2FA bots is troubling, because it makes it easier for criminals to carry out their scams and it makes us more susceptible to them. We have become so much more accustomed to automated systems communicating with us, which makes this more convincing. Add in the classic manipulation by fear mongering and the little touches like the reference code and the need not to be worried about unauthorised payments going through, and this becomes even more persuasive.”
Multiple sellers told Motherboard that the bots could also be used to obtain codes generated by a multi-factor authentication smartphone app, such as Google Authenticator. The principle is essentially the same—tricking the target to hand over a code to the hackers.
Beyond sites or services such as Amazon, PayPal, and Venmo, some of the bots also target specific banks, such as Bank of America and Chase. With others, users can customize the automatically-read script themselves, OPTGOD777 explained.
A source who works on security in the finance sector told Motherboard that “these are used, especially for those who use SMS [...] as the two-factor authentication.” Motherboard granted the source anonymity as they weren’t permitted to speak to the press.
A spokesperson for Chase Bank told Motherboard in a statement that “Unfortunately, scammers target consumers from many banks. We urge all consumers never to share their banking password or a one-time code their bank sends them. Bank employees won’t call, text or email consumers asking for this info, but crooks will.”
A Coinbase spokesperson told Motherboard in a statement that “Coinbase acknowledges cybercriminals, who target valuable information online, are getting more creative and persistent. That's why we take extensive security measures to ensure our platform and customer accounts remain as safe as possible, including regularly educating our customers on using the most secure forms of 2FA available and supporting hardware security keys. Coinbase also works with industry partners and law enforcement to disrupt malicious infrastructure and attack campaigns wherever possible.”
Amazon told Motherboard it was aware of phishing bots. “We take any attempts to misuse our brand seriously. We do not send unsolicited messages asking for sensitive personal information or payment outside of our website, and maintain a webpage to assist customers in identifying a fake email or phone calls,” an Amazon spokesperson said in a statement. “Any customer that receives a questionable email, call or text from a person impersonating an Amazon employee should report them to Amazon customer service. Amazon investigates these complaints and uses them to protect customers and hold the bad actors accountable.”
Bank of America, PayPal, and Apple did not respond to requests for comment on whether each was aware of OTP bots targeting them specifically.
In February, Krebs on Security covered one OTP bot called OTP Agency. Then in July, cybersecurity website Frank on Fraud covered some others, including one called BloodOTP. Threat intelligence firm Intel471 published its own research into the bots in September.
Motherboard has identified more bots as well, and it appears they are growing in popularity.
“A while ago, like 10 months ago, there weren't that many on the market and if there was it was pretty expensive. Recently they have gotten more popular,” Kaneki told Motherboard. Kaneki declined to say whether they designed the bot themselves, or whether they are selling one made by someone else.
A screenshot of the bot in action uploaded to one of SMSranger's Telegram channels. Image: Motherboard.
In various Telegram groups, apparent users of the bots share their successes including screenshots of the bots in action. Some members also look to collaborate with one another to try and target more people.
A Telegram channel where SMSranger, one of the seemingly more popular bots, pushes updates and announcements about their product includes some 5,000 subscribers. A second channel where members of the SMSranger “community” can chat among themselves has over 2,800 subscribers, with over 500 members online at multiple times of the day.
Some bot sellers have recently run promotional prices, presumably to bring in more customers. SMSranger ran a limited time offer of one month access to the bot costing $540, and lifetime access for $2750. A day later, the bot was back to full price of $600 and $4000.
The author of BloodOTP claimed in an online chat earlier this year with Motherboard that their bot never worked. Shortly after being contacted by Motherboard, the BloodOTP administrator abandoned their Telegram accounts. At the time of writing, one of those abandoned accounts now points to an account belonging to another OTP bot being offered for sale called “Yahooze.”
In response to BloodOTP shutting down, SMSranger posted on its own Telegram channel in August “we are aware that bloodotp has shutdown and would like to welcome his old clients with open arms.” SMSranger then offered old BloodOTP customers 20 percent off the cost of their first month if they subscribed to SMSranger instead.
“This is your chance to make the right choice for your otp bot needs,” the post continued.