Three men in the United Kingdom pleaded guilty to the operation otp[.]organizationa once-popular online service that helped attackers intercept the one-time pass codes (OTPs) required by many websites as a second factor of authentication in addition to passwords.
Launched in November 2019, OTP Agency was a service for obtaining one-time passcodes needed to log into various websites. Fraudsters who have already stolen someone’s bank account information can enter the target’s phone number and name, and the service will initiate an automated phone call to the target alerting them of unauthorized activity on their account.
The call would prompt targets to enter a one-time pass code generated by their phone’s app, and the code was then transmitted to the fraudster’s user panel on the OTP Agency website.
A statement published on Aug. 30 by the UK National Crime Agency (NCA) said three men have pleaded guilty to managing the OTP Agency: Callum Picari22, of Hornchurch, Essex; Vijayasidhurshan Vijayanathan21, from Aylesbury, Buckinghamshire; again Aza Siddeeque19, of Milton Keynes, Buckinghamshire.
KrebsOnSecurity profiled the OTP Agency in a February 2021 story about the arrest of another UK-based phishing service. Someone claiming to represent the OTP Agency then posted a few comments on the piece, where they said the story was offensive and that they were legitimate opponents. -fraud service. However, the Telegram channel of the service clearly showed that its owners created OTP Agency with one purpose in mind: To help their customers to take online accounts.
A few hours after that was published, OTP Agency shut down its website and announced that it was closing shop and cleaning up its user data. The NCA said the February 2021 issue led to shocking text messages between Picari and Vijayanathan:
Picari said: bro we are in big trouble… You are going to put me in the bag… Bro delete the chat
Vijayanathan: You are sure
Picari: Lots of evidence there
Vijayanathan: Are you 100% sure.
Picari: Very incriminating…Look and search for ‘fraud’…Just think of all the evidence…we can find…in an OTP conversation…they will find it.
Vijayanathan: Of course it is if we close everything
Picari: They went to our very first message…We look guilty…if we close…I say delete the chat…Our Chat is 100% Fraud
Vijayanathan : Every sane person will tell you to leave it here and move on
Picari: Just because we’re closing doesn’t mean we didn’t do it…But to remove our discussion…We’ll investigate their investigation…There is no deception on the site.
Despite deleting its Telegram channel, OTP Agency apparently found it difficult to distance itself from its customers (and/or money). Instead of shutting down as Vijayanathan wisely advised, a few days later OTP Agency was communicating with customers on a new Telegram channel, providing a new login page and assuring existing customers that their usernames, passwords and balances will remain the same.
The OTP Agency, immediately after its initial shutdown, informs customers that their existing logins will still work.
But that revival would be temporary. The NCA said the site was taken off the internet less than a month after the three were arrested. NCA investigators say more than 12,500 people have been targeted by OTP Agency users during the 18 months the service has been in operation.
Picari was the owner, developer and main beneficiary of this service, and his personal information and the identity of OTP Agency were revealed in February 2020 in a “doc” posted on the now-defunct English-language cybercrime forum, Raidforums. The NCA said it started investigating the scheme in June 2020.
Operators of the OTP Agency who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, Vijayasidhurshan Vijayanathan.
OTP Agency may be gone, but several other similar OTP interception services are still operating and accepting new customers, including the long-running service KrebsOnSecurity profiled in September 2021 called. SMSRanger. More on SMSRanger in future posts.
Text messages, emails and phone calls warning recipients about potential fraud are some of the most common forms of fraud. If someone (or something) calls claiming to be from your bank, or asks you to provide any personal or financial information, don’t answer. Just hang up, full stop.
If the call makes you concerned about the security and integrity of your account, check account status online, or call your financial institution — you should use the phone number on the bank’s website or on the back of your debit card.
Read more: When in Doubt, Hang Up, Look Up, and Call Again
Source link