The incoming phone call flashes on the victim’s phone. It may only last a few seconds, but it can end with the victim handing over codes that give cybercriminals the ability to hijack their online accounts or empty their crypto and digital wallets.
“This is the PayPal security team. We have detected some unusual activity on your account and are calling you as a precaution,” says the caller’s robotic voice. “Enter the six-digit security code we sent to your mobile device.”
The victim, unaware of the caller’s malicious intentions, enters the six-digit code they just received via text message into their phone’s keypad.
“I got that boom!” a message is read on the attacker’s console.
In some cases, the attacker may also send a phishing email with the goal of capturing the victim’s password. But many times, that code from your phone is all the attacker needs to get into the victim’s online account. When the victim ends the call, the attacker has already used the code to log into the victim’s account as if they were the rightful owner.
Since mid-2023, an interception operation called Estate has allowed hundreds of members to make thousands of automated phone calls to trick victims into entering one-time passwords, TechCrunch has learned. Estate helps attackers defeat security features such as multi-factor authentication, which relies on a one-time passcode sent to a person’s phone or email or generated from their device using an authenticator app. Stolen one-time access codes can give attackers access to a victim’s bank accounts, credit cards, crypto and digital wallets, and online services. Most of the victims have been in the United States.
But a bug in Estate’s code exposed the site’s database, which was not encrypted. The Estate database contains details of the site’s founder and its members, and line-by-line records of every attack since the site was launched, including the phone numbers of victims who were attacked, when, and by which member.
Vangelis Stykas, security researcher and CTO at Atropos.ai, provided the Estate database to TechCrunch for analysis.
The backend database provides a rare insight into how a one-time password interception operation works. Services like Estate advertise their offerings under the guise of providing a seemingly legitimate service that allows security professionals to perform resistance testing to social engineering attacks, but they fall into a gray legal space because they allow their members to use these services to malicious cyber attacks. In the past, authorities they have prosecuted the operators of similar sites dedicated to automating cyberattacks to provide their services to criminals.
The database contains records of more than 93,000 attacks since Estate launched last year, targeting victims who have accounts at Amazon, Bank of America, CapitalOne, Chase, Coinbase, Instagram, Mastercard, PayPal, Venmo, Yahoo (proprietary from TechCrunch) and many more. others.
Some of the attacks also show efforts to hijack phone numbers by conducting SIM swap attacks (one campaign was titled simply “you’re getting a SIM swap friend”) and threatening to dox victims.
Estate’s founder, a Danish programmer in his 20s, told TechCrunch in an email last week: “I no longer operate the site.” The founder, despite efforts to hide Estate’s online operations, misconfigured Estate’s server, exposing its real-world location in a data center in the Netherlands.
Estate advertises itself as being able to “create custom OTP solutions that perfectly fit your needs” and explains that “our custom scripting option puts you in control.” Estate members access the global telephone network by posing as legitimate users to gain access to upstream communications providers. One supplier was Telnyx, whose CEO David Casem told TechCrunch that the company blocked Estate’s accounts and that an investigation was underway.
Although Estate is careful not to use explicit language that could incite or encourage malicious cyber attacks, the database shows that Estate is used almost exclusively for criminal purposes.
“These types of services form the backbone of the criminal economy,” said Allison Nixon, director of research at Unit 221B, a cybersecurity firm known for investigating cybercriminal groups. “They make slow tasks efficient. This means more people are receiving scams and threats in general. “More seniors lose their retirement due to crime, compared to the days before these types of services existed.”
Estate attempted to keep a low profile by hiding its website from search engines and attracting new members by word of mouth. According to its website, new members can log into Estate only with a referral code from an existing member, keeping the number of users low to avoid detection by the upstream communications providers Estate depends on.
Once through the door, Estate provides members with tools to search for passwords from their potential victims’ previously breached accounts, leaving single-use codes as the only obstacle to hijacking targets’ accounts. Estate tools also allow members to use custom scripts containing instructions to trick targets into handing over their one-time passwords.
Instead, some attack scripts are designed to validate stolen credit card numbers by tricking the victim into handing over the security code on the back of their payment card.
According to the database, one of the largest calling campaigns in Estate targeted older victims under the assumption that Boomers are more likely to take an unsolicited phone call than younger generations. The campaign, which represented around a thousand phone calls, was based on a script that kept the cybercriminal informed of each attempted attack.
“The old b—answered!” he would flash on the console when his victim answered the call, and “Life Support Disconnected” would display when the attack was successful.
The database shows that Estate’s founder is aware that his clientele are largely criminal actors, and Estate has long promised privacy to its members.
“We do not record any data and do not require any personal information to use our services,” reads Estate’s website, a snub at the identity checks that telecoms providers and technology companies typically require before allowing users. clients access their networks.
But that is not strictly true. Estate recorded every attack its members carried out in great detail, dating back to the site’s launch in mid-2023. And the site’s founder retained access to server logs that provided a real-time window into what was happening. on the Estate server at any given time, including every call made by its members, as well as each time a member loaded a page on the Estate website.
The database shows that Estate also keeps track of potential members’ email addresses. One of those users said that he wanted to join Estate because they recently “started buying cc” (referring to credit cards) and believed Estate was more reliable than buying a bot from an unknown seller. The user was later approved to become a member of the estate, records show.
The exposed database shows that some members relied on Estate’s promise of anonymity by leaving fragments of their own identifiable information, including email addresses and online identifiers, in the scripts they wrote and the attacks they carried out.
Estate’s database also contains its members’ attack scripts, which reveal the specific ways attackers exploit weaknesses in the way tech giants and banks implement security features, such as password access codes. Use only, to verify customer identities. TechCrunch does not describe the scripts in detail because doing so could help cybercriminals carry out attacks.
Veteran security reporter Brian Krebs, who previously reported on a one-time password operation in 2021He said these types of criminal operations make it clear why “any information should never be provided in response to an unsolicited phone call.”
“It doesn’t matter who says to call: if you didn’t initiate contact, hang up. If you didn’t initiate contact, hang up,” Krebs wrote. That advice still holds true today.
But while services that offer the use of one-time passcodes still provide better security to users than services that do not, the ability of cybercriminals to bypass these defenses shows that technology companies, banks , cryptocurrency wallets and exchanges, and telecommunications companies have more work to do. do.
Unit 221B’s Nixon said companies are in an “eternal battle” with bad actors seeking to abuse their networks, and that authorities should step up efforts to crack down on these services.
“The missing piece is that we need law enforcement to arrest criminal actors who become a nuisance,” Nixon said. “Young people are deliberately making a career out of this, because they convince themselves that they are ‘just a platform’ and ‘not responsible for the crime’ facilitated by their project.”
“They hope to make easy money in the fraud economy. There are influencers who encourage unethical ways to make money online. Law enforcement must stop this.”
