Telegram bots are out to steal your one-time passwords

Smartphone displaying Signal, Telegram and WhatsApp applications
(Image credit: Shutterstock)

Cyber criminals are using bots on the Telegram messenger app to steal credentials with a one-time password, intercept control of user accounts, and steal bank funds.

Hackers are using a bot script called SMSRanger to send automatic messages to people, allegedly on behalf of a bank, PayPal, or other popular financial applications, According to a security researcher at Intel471.

Automatic messages prompt users to send one-time password (OTP) codes along with other account information. If successful, Telegram bots collect codes, enabling hackers to bypass the bank's OTP verification system, hack a user’s account, and withdraw funds.

Researchers said SMSRanger is easy to use. The ability to specify numbers, goals, and the company the program will masquerade as is quite simple, so the criminal only needs to know some basic script commands in Telegram. This means SMSRanger is popular not only among experienced cyber criminals, but also among relatively unskilled ones.

Once the hacker enters the target's phone number, the bot does the rest of the work, ultimately granting access to any successfully attacked account. Researchers said hackers using the tool have about an 80% efficacy rate if the victim answered the call and the user’s full information was accurate and updated.

Researchers also discovered another bot called BloodOTPbot. This can send users a fraudulent OTP code via SMS. The bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative.

“The bot then would attempt to call the victim and use social engineering techniques to obtain a verification code,” said researchers.

The operator would receive a notification from the bot during the call specifying when to request the OTP during the authentication process. The bot would text the code to the operator once the victim received the OTP and entered it on the phone’s keyboard, added researchers.

A third bot, known as SMS Buster, requires a bit more effort to obtain account information. The bot provides options to disguise a call and make it appear as a legitimate contact from a specific bank, letting the attackers dial from any phone number.


Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools


“From there, an attacker could follow a script to trick a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV) and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English,” said researchers.

The researchers added they have seen accounts illegally accessed at eight different Canadian-based banks.

“The ease by which attackers can use these bots cannot be understated. While there’s some programming ability needed to create the bots, a bot user only needs to spend money to access the bot, obtain a phone number for a target, and then click a few buttons,” researchers said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.