What should I do if a robot on the phone asks you for a one-time code?
Recently, cybercriminals have significantly improved their attack methods, using sophisticated schemes to intercept one-time verification codes (OTPs) to gain access to victims bank accounts and digital wallets.
Automated phone calls became the main tool for scammers, where attackers, independently or using pre-recorded robotic replicas, presented themselves to the security service of well-known brands and convinced users to report a one-time SMS code, allegedly to protect their account from fraudulent actions.
The operation, codenamed Estate, launched as a separate service in mid-2023, allowed hundreds of attackers to make thousands of automated robocalls every day and gain unauthorized access to multiple accounts by bypassing multi-factor authentication (MFA).
The main targets of the attacks were bank accounts, credit cards, and online services, including Amazon, PayPal, and Coinbase. Most of the victims were located in the United States.
A striking event in the fight against this kind of fraud was a recent mistake made by the administrators of the Estate, which led to a leak of the internal database of the service, containing information about both the creator of the fraudulent operation and his accomplices. And" for dessert", researchers got data on all fraudulent calls, including detailed attack logs.
The leaked database provided security researchers with a fresh look at the mechanisms of intercepting one-time codes, revealing vulnerabilities in the systems of many large companies.
It is noteworthy that Estate, like many other modern fraudulent tools, is positioned on the Internet as a pentester service, which allows it to function quite legally in cyberspace.
However, its authors tried to hide the website from the search results in all possible ways, and tried to give access only by invitation, so as not to accidentally launch a "mole" into their fraudulent community.
Allison Nixon of the information security company Unit 221B emphasized that such services significantly simplify cybercrime activities, making it accessible to everyone. She calls on the law enforcement agencies to be more active in combating this phenomenon.
According to her, online fraud, including using the Estate service, has become a conscious choice for many young people who see it as an easy way to earn money. That is why law enforcement officers should do everything possible to block any opportunities for fans of"easy money".
The best defense against such fraudulent campaigns is a recommendation to never provide personal data in response to unsolicited calls, regardless of who is calling and who is being represented. Only increased vigilance will help to avoid deception in the era of such rapid development of digital technologies.
Recently, cybercriminals have significantly improved their attack methods, using sophisticated schemes to intercept one-time verification codes (OTPs) to gain access to victims bank accounts and digital wallets.
Automated phone calls became the main tool for scammers, where attackers, independently or using pre-recorded robotic replicas, presented themselves to the security service of well-known brands and convinced users to report a one-time SMS code, allegedly to protect their account from fraudulent actions.
The operation, codenamed Estate, launched as a separate service in mid-2023, allowed hundreds of attackers to make thousands of automated robocalls every day and gain unauthorized access to multiple accounts by bypassing multi-factor authentication (MFA).
The main targets of the attacks were bank accounts, credit cards, and online services, including Amazon, PayPal, and Coinbase. Most of the victims were located in the United States.
A striking event in the fight against this kind of fraud was a recent mistake made by the administrators of the Estate, which led to a leak of the internal database of the service, containing information about both the creator of the fraudulent operation and his accomplices. And" for dessert", researchers got data on all fraudulent calls, including detailed attack logs.
The leaked database provided security researchers with a fresh look at the mechanisms of intercepting one-time codes, revealing vulnerabilities in the systems of many large companies.
It is noteworthy that Estate, like many other modern fraudulent tools, is positioned on the Internet as a pentester service, which allows it to function quite legally in cyberspace.
However, its authors tried to hide the website from the search results in all possible ways, and tried to give access only by invitation, so as not to accidentally launch a "mole" into their fraudulent community.
Allison Nixon of the information security company Unit 221B emphasized that such services significantly simplify cybercrime activities, making it accessible to everyone. She calls on the law enforcement agencies to be more active in combating this phenomenon.
According to her, online fraud, including using the Estate service, has become a conscious choice for many young people who see it as an easy way to earn money. That is why law enforcement officers should do everything possible to block any opportunities for fans of"easy money".
The best defense against such fraudulent campaigns is a recommendation to never provide personal data in response to unsolicited calls, regardless of who is calling and who is being represented. Only increased vigilance will help to avoid deception in the era of such rapid development of digital technologies.
