Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.
Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.
The call would prompt the target to enter a one-time passcode generated by their phone’s mobile app, and the code was then relayed to the scammer’s user panel at the OTP Agency website.
A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.
Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:
Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat
Vijayanathan: Are you sure
Picari: So much evidence in there
Vijayanathan: Are you 100% sure
Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find
Vijayanathan: Exactly so if we just shut EVERYTHING down
Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%
Vijayanathan : Everyone with a brain will tell you stop it here and move on
Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site
Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.
OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.
But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 month the service was active.
Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.
The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.
OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called SMSRanger. More on SMSRanger in an upcoming post.
Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, do not respond. Just hang up, full stop.
If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 17:06:382024-09-02 17:06:38Owners of 1-Time Passcode Theft Service Plead Guilty
Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said.
The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 14:07:152024-09-02 14:07:15Global Phishing Scam Hits Canadian Pizza Chains for Credit Card Data
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 14:07:152024-09-02 14:07:15For Windows 11 setup, which user account type should you choose? How to decide
A Forescout report highlighted a 43% increase in published vulnerabilities, with 23,668 reported in H1 2024. Ransomware attacks also rose by 6%, totaling 3,085 incidents, with the U.S. being the most targeted country.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 13:07:002024-09-02 13:07:00A Macro Look at the Most Pressing Cybersecurity Risks
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 13:07:002024-09-02 13:07:00Passkey Adoption Is Accelerating in APAC — Except for Australia
GreenCharlie attackers use dynamic DNS providers to register domains for phishing attacks, with deceptive themes like cloud services and document visualization to trick victims into revealing sensitive information or downloading malware payloads.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 12:06:502024-09-02 12:06:50GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
The group behind Cicada3301 has been recruiting affiliates on cybercrime forums since June. It is speculated that Cicada3301 could be related to the now-defunct ALPHV group, as both ransomware share similarities.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-09-02 12:06:492024-09-02 12:06:49A New Variant of Cicada Ransomware Targets VMware ESXi Systems
BackBox.org offers a range of Penetration Testing services to simulate an attack on your network or application. If you are interested in our services, please contact us and we will provide you with further information as well as an initial consultation.
Owners of 1-Time Passcode Theft Service Plead Guilty
/in General NewsThree men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.
Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.
The call would prompt the target to enter a one-time passcode generated by their phone’s mobile app, and the code was then relayed to the scammer’s user panel at the OTP Agency website.
A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.
Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:
Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat
Vijayanathan: Are you sure
Picari: So much evidence in there
Vijayanathan: Are you 100% sure
Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find
Vijayanathan: Exactly so if we just shut EVERYTHING down
Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%
Vijayanathan : Everyone with a brain will tell you stop it here and move on
Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site
Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.
OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.
But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 month the service was active.
Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.
The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.
OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called SMSRanger. More on SMSRanger in an upcoming post.
Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, do not respond. Just hang up, full stop.
If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.
Further reading: When in Doubt, Hang Up, Look Up, and Call Back
Krebs on Security – Read More
RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors
/in General NewsThreat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said.
The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
The Hacker News – Read More
Global Phishing Scam Hits Canadian Pizza Chains for Credit Card Data
/in General NewsScammers are using domain spoofing, phishing and other tactics to steal customer information from pizza restaurants, especially in…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Forrester’s CISO budget priorities for 2025 focus on API, supply chain security
/in General NewsSafeguarding revenue and minimizing business risks will dominate CISOs’ budgets next year, starting with APIs and software supply chains.Read More
Security News | VentureBeat – Read More
For Windows 11 setup, which user account type should you choose? How to decide
/in General NewsWhen you set up a new Windows PC, you can choose from up to four types of user accounts – but your first choice might not be the right one.
Latest stories for ZDNET in Security – Read More
A Macro Look at the Most Pressing Cybersecurity Risks
/in General NewsA Forescout report highlighted a 43% increase in published vulnerabilities, with 23,668 reported in H1 2024. Ransomware attacks also rose by 6%, totaling 3,085 incidents, with the U.S. being the most targeted country.
Cyware News – Latest Cyber News – Read More
Passkey Adoption Is Accelerating in APAC — Except for Australia
/in General NewsAustralian banks and government agencies are not rushing to adopt passkey authentication methods, despite the added security benefits.
Security | TechRepublic – Read More
GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
/in General NewsGreenCharlie attackers use dynamic DNS providers to register domains for phishing attacks, with deceptive themes like cloud services and document visualization to trick victims into revealing sensitive information or downloading malware payloads.
Cyware News – Latest Cyber News – Read More
Why Incident Response Planning is Critical for Cybersecurity Resilience
/in General NewsCyber threats are inevitable, making preparedness necessary. In 2023, the average cost of a data breach reached $4.45…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
A New Variant of Cicada Ransomware Targets VMware ESXi Systems
/in General NewsThe group behind Cicada3301 has been recruiting affiliates on cybercrime forums since June. It is speculated that Cicada3301 could be related to the now-defunct ALPHV group, as both ransomware share similarities.
Cyware News – Latest Cyber News – Read More