Atropos.ai researchers were able to gain access to the internal database of the Estate platform, which entered the market of robotic phishing campaigns in mid-2023. As TechCrunch reports, the service allows for SIM spoofing attacks, and thousands of people could become its victims.
“Estate helps attackers bypass multi-factor authentication, which is based on a one-time code that is sent to the victim’s device or email, or generated by an authenticator app. Stolen passwords can give attackers access to the victim’s bank accounts, credit cards, crypto and digital wallets, as well as online services,” the material says.
The platform itself is closed to new participants, except for those recruited by users themselves with a referral code. The development of the project was not accompanied by any extensive advertising campaigns. However, an error made by Estate administrators allowed researchers to become familiar with the leaked service database. It contains information including about the creator of the project, a 20-year-old programmer from Denmark who said he sold it some time ago, and his accomplices, as well as information about all fraudulent calls, including detailed attack logs.
In total, the database contains logs of 93 thousand attacks. They targeted victims who had accounts with Amazon, Bank of America, Capital One, Chase, Coinbase, Instagram, Mastercard, PayPal, Venmo, Yahoo and many other services.
Estate provided users with tools to find previously hacked account passwords of potential victims. Thanks to this, OTPs became the only obstacle to account hacking. Project participants also have access to special scripts containing instructions to trick the victim into handing over a one-time password. Some scenarios forced victims to hand over the CVV code found on the back of the plastic card. Interestingly, one of the largest telephone campaigns on the Estate was aimed at elderly victims. This is because they are more likely to answer an unwanted call than younger generations.
“Estate helps attackers bypass multi-factor authentication, which is based on a one-time code that is sent to the victim’s device or email, or generated by an authenticator app. Stolen passwords can give attackers access to the victim’s bank accounts, credit cards, crypto and digital wallets, as well as online services,” the material says.
The platform itself is closed to new participants, except for those recruited by users themselves with a referral code. The development of the project was not accompanied by any extensive advertising campaigns. However, an error made by Estate administrators allowed researchers to become familiar with the leaked service database. It contains information including about the creator of the project, a 20-year-old programmer from Denmark who said he sold it some time ago, and his accomplices, as well as information about all fraudulent calls, including detailed attack logs.
In total, the database contains logs of 93 thousand attacks. They targeted victims who had accounts with Amazon, Bank of America, Capital One, Chase, Coinbase, Instagram, Mastercard, PayPal, Venmo, Yahoo and many other services.
Estate provided users with tools to find previously hacked account passwords of potential victims. Thanks to this, OTPs became the only obstacle to account hacking. Project participants also have access to special scripts containing instructions to trick the victim into handing over a one-time password. Some scenarios forced victims to hand over the CVV code found on the back of the plastic card. Interestingly, one of the largest telephone campaigns on the Estate was aimed at elderly victims. This is because they are more likely to answer an unwanted call than younger generations.
