Cybercrime , Fraud Management & Cybercrime , Geo Focus: The United Kingdom
3 Men Plead Guilty to Running Service That Bypasses MFA
Automated Service Helped Subscribers Trick Victims Into Sharing One-Time CodesThree nationals pleaded guilty in British court to running an online criminal service that advertised its ability to bypass multifactor authentication defenses for such banks as HSBC, Lloyds and online-only British bank Monzo.
See Also: Strengthening Your Security Program With Open API
Britain's National Crime Agency said Friday that from September 2019 until authorities shut down the site and busted its three administrators in March 2021, OTPAgency offered a subscription-based service designed to help fraudsters socially engineer targets, obtain one-time passcodes and personal identifiable information, and drain victims' bank accounts. Authorities estimate the service targeted the information of more than 12,500 individuals during its 18-month run.
Appearing at London's Snaresbrook Crown Court, Callum Picari, 22, Vijayasidhurshan Vijayanathan, 21, and Aza Siddeeque, 19, each entered guilty pleas. All three initially denied any knowledge of the service before ultimately pleading guilty, and Siddeeque - accused of promoting the site and providing technical support to its criminal users - only did so last week, the NCA said. The three men were charged with conspiracy to make and supply articles for use in fraud.
Picari, who developed, ran and principally profited from the site, and regularly advertised it via a dedicated Telegram channel that counted 2,200 members, was also charged with money laundering.
"First and last professional service for your OTP stealing needs. We promise you will be making profit within minutes of purchasing our service," one of Picari's Telegram messages says. "Ever wanted to grab a one time passcode for any website? Well now you can! With OTPAgency you can grab an otp for vbv, 30+ sites and also Apple Pay.. it's only £30 a week you really don't wanna miss out."
The service could be accessed via a "basic" package that cost 30 British pounds, or $40, per week, designed to bypass multiple banks' fraud checks so criminals could complete online transactions. A more sophisticated "elite" package cost 380 British pounds, or $500, per week, "and granted access to Visa and Mastercard verification sites," the NCA said, referring to such anti-fraud checks as Verified by Visa and MasterCard SecureCode, which can prompt users to enter a unique code they've already registered for the account as an additional layer of authentication.
"These plans allowed criminals to access personal bank accounts and steal money," the NCA said.
Picari pulled the plug on the Telegram group after being outed by cybersecurity blogger Brian Krebs in February 2021, police said.
Describing how the service worked, Krebs reported that it enabled subscribers to log into the OTPAgency portal and enter a target's phone number. The service automatically called the victim, claimed there was "unauthorized activity on their account" and instructed them to enter a one-time code they were about to receive. In reality, the one-time code was being triggered by criminals attempting to illicitly log into the target's account. If the victim shared their one-time code, it would be immediately routed to the OTPAgency portal for the subscriber to use to log into their account.
The NCA said Krebs' exposé prompted this exchange:
–Picari: "bro we are in big trouble"… "U will get me bagged"… "Bro delete the chat"
–Vijayanathan: "Are you sure"
–Picari: "So much evidence in there"
–Vijayanathan: "Are you 100% sure"
–Picari: "It's so incriminating"..."Take a look and search 'fraud'"..."Just think of all the evidence"..."that we cba to find"..."in the OTP chat"..."they will find"
–Vijayanathan: "Exactly so if we just shut EVERYTHING down"
–Picari: "They went to our first ever msg" ... "We look incriminating"..."if we shut down"..."I say delete the chat"..."Our chat is Fraud 100%"
–Vijayanathan: "Everyone with a brain will tell you stop it here and move on"
–Picari: "Just because we close it doesn't mean we didn't do it"..."But deleting our chat"..."Will f*^k their investigations"..."There's nothing fraudulent on the site"
The three men are due to be sentenced Nov. 2 at Snaresbrook Crown Court.
"Picari, Vijayanathan and Siddeeque opened the door for fraudsters to access bank accounts and steal money from unsuspecting members of the public," said Anna Smith, operations manager for the NCA's National Cyber Crime Unit.
"Their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people's livelihoods," she said.