The criminal prosecution of the threat actors behind the "OTP Agency" has highlighted an ingenious new tactic that cybercriminals can use to bypass multi-factor authentication.
The OTP Agency launched back in November of 2019. Their service was simple: if you have a compromised credential, their service would call the credential owner and pose as the website the account was for citing fraudulent activity, and ask the owner to verify themselves by providing the one-time password (OTP) sent to them via SMS.
In actuality, the threat actor would be logging on at the same time the call is placed so that, when prompted to provide the OTP, the Agency would obtain it and hand it over to the threat actor to complete their login.
OTP Agency charged a fee based on the type of site the threat actor wanted to access. £30 a week got you access to banking sites, whereas £380 a week got you access to Visa and Mastercard verification sites.
In a recent statement by the U.K.’s National Crime Agency, three U.K. residents ages 19-22 were arrested and pleaded guilty to fraud.
The simplicity of their service demonstrates how easily and quickly someone can get into the cybercrime game. And, based on their 5 year run, it also makes the case that users fall for this consistently – a clear reason why organizations need to enroll their employees in new-school security awareness training to educate them on techniques like the ones employees by OTP Agency and others, keeping credentials and the resources they provide access to secure.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
