Threat Watch

Rising One-Time Password Stealing Bot Activity

As the use of Multi-Factor Authentication (MFA) becomes more common, threat actors have been forced to focus on methods to circumvent the protection. One-time password (OTP) usage is a form of MFA in which a service sends a numerical code via email, SMS, or through an app like Google Authenticator. There has been a rise in new OTP interception bots aiming to intercept the one-time use password. The bots being used operate over Telegram as a paid service with monthly fees upwards of $300 for access.

While users of these bots are required to provide only limited information about the target, chances of success in stealing the credential increases as more information is provided. SMSRanger is very popular and very easy to use with users claiming a near 80% success rate when full information is provided to enrich the attack. SMSBuster is another that is a bit more difficult to use as it requires the attacker to engage in social engineering of their own, however, templates and scripts are provided to the attacker.


What is concerning about these bots is the availability and the fact that they don’t require any programming skills. With a bit of OSINT (Open Source Intelligence) technique and the initial funds needed to subscribe, any person can use this service and profit. With this ease of use, the number of attacks and chance of success is rising. While any sort of MFA is important and a valid step in increasing the security of sensitive information, it can still be defeated. It is important to understand that when dealing with a bank or any financial service, unless you initiated contact there will not be a request for sensitive information.