Cybersecurity researchers unveil a new wave of cyber threats as criminals combine voice phishing and OTP theft to breach data defenses. (Pixabay)

Report Shows Increase in Cybercriminals Using Voice Phishing and OTP Theft for Data Breaches

Cybersecurity researchers have made a worrying discovery, as they have found that cybercriminals are cleverly combining voice phishing (vishing) with One-Time Password (OTP) grabber services to enhance their illegal operations. The report, published by cybersecurity firm CloudSEK, has provided valuable insights into the changing landscape of threats.

The Art of Vishing

Vishing, short for voice phishing, is a manipulative technique in which individuals are coerced into revealing sensitive information over the phone. What sets the visit apart is the human touch it adds to cyber attacks, making victims more likely to trust the caller on the other end of the line. These attackers use highly sophisticated tactics, including interactive voice response (IVR) systems, authentic voice recordings, or even real-time calls that convincingly impersonate trusted companies. With these methods, unsuspecting victims are cleverly tricked into revealing their one-time passwords, which are typically delivered via text messages, CloudSEK reports.

SpoofMyAss.com (SMA)

A recent investigation uncovered a chilling ad on SpoofMyAss.com (SMA) where cybercriminals gain access to OTP bot escalation and SMS senders, significantly strengthening their ability to carry out large-scale vishing attacks. SMA’s toolkit includes extracting OTPs, the ability to make global calls in multiple languages, personalization features, anonymous calling features, and creating bot templates – all of which tell about businesses.

Even more confusing is that SMA lures users with free logins and a welcome $1 balance. It categorizes its services into OTP Bot Spoofer and SMS Sender. OTP Bot Spoofer is a call service capable of obtaining OTPs of any length and fetching multiple OTPs. Meanwhile, the SMS Sender service uses 269 legitimate SMS gateways covering 87 gateways in the US and 13 in India to send SMS messages to global users.

Bad consequences of exploitation

The consequences of such abuse are serious. Once cybercriminals gain unauthorized access to victims’ online banking and sensitive accounts, they have the power to orchestrate a variety of fraudulent online transactions, leaving individuals and organizations vulnerable to significant financial losses and data breaches.

The ClouSEK report added: “Using vishing as a choice, cybercriminals successfully obtained employee credentials, secured global administrator privileges on an Azure Tenant, exfiltrated data, and subsequently held multiple ESXi hypervisors hostage for ransom.”

Stay vigilant in the face of growing threats

In light of these evolving threats, cybersecurity experts are urgently urging individuals and organizations to exercise extreme caution. Strong security measures and increased awareness are paramount to protecting against these ever-adapting cyber adversaries. It’s a call to action to strengthen security protocols and stay one step ahead in the fight against cybercrime.