Incoming phone call flashes on the victim’s phone. It may only last a few seconds, but it can end with the victim handing over codes that give cybercriminals the ability to steal their online accounts or drain their crypto and digital wallets.
“This is the PayPal security team here. We’ve detected some unusual activity on your account and are calling you as a precautionary measure,” says the caller’s robotic voice. “Enter the six-digit security code we’ve sent to your mobile device.”
The victim, unaware of the caller’s malicious intentions, punches the six-digit code they just received via text into their phone’s keypad.
“I got that boomer!” a message is read on the attacker’s console.
In some cases, the attacker may also send a phishing email to capture the victim’s password. But many times, that code from their phone is all an attacker needs to break into a victim’s online account. By the time the victim ends the call, the attacker has already used the password to log into the victim’s account as if they were the rightful owner.
Since mid-2023, a wiretapping operation called Estate has allowed hundreds of members to make thousands of automated phone calls to trick victims into entering one-time passwords, according to TechCrunch. Estate helps attackers defeat security features like multi-factor authentication, which rely on a one-time password either sent to a person’s phone or email, or generated on their device using an authentication app. Stolen OTPs can grant attackers access to the victim’s bank accounts, credit cards, crypto and digital wallets, and online services. Most of the victims are in the United States.
But a bug in the Estate’s code exposed the site’s backend database, which was not encrypted. The Estate’s database contains details of the site’s founder and members, as well as line-by-line logs of every attack since the site’s inception, including the phone numbers of victims targeted, when and by which member.
Vangelis Stykas, security researcher and chief technology officer at Atropos.ai, provided the Estate database to TechCrunch for analysis.
The support database provides a rare insight into how a one-time password interception function works. Services like Estate advertise their offerings under the guise of providing a seemingly legitimate service that allows security professionals to test resistance to social engineering attacks, but fall into a legal gray area by allowing their members to use these services for malicious attacks in cyberspace. In the past the authorities they have fired the operators similar sites dedicated to automating cyber attacks to provide their services to criminals.
The database contains logs of more than 93,000 attacks since Estate launched last year, targeting victims who have accounts with Amazon, Bank of America, CapitalOne, Chase, Coinbase, Instagram, Mastercard, PayPal, Venmo, Yahoo (which owns TechCrunch) and many others.
Some of the attacks also show attempts to steal phone numbers by carrying out SIM swapping attacks – one campaign was simply titled “ur get sim swapped mate” – and threatening to dox victims.
Estate’s founder, a Danish developer in his early 20s, told TechCrunch in an email last week, “I no longer operate the site.” The founder, despite efforts to hide the Estate’s online operations, misconfigured the Estate’s server which revealed its true location in a data center in the Netherlands.
Estate advertises itself as being able to “build custom OTP solutions that perfectly fit your needs” and explains that “our custom scripting option puts you in control.” Estate members enter the global telephone network by posing as legitimate users to gain access to upstream communication providers. One provider was Telnyx, whose CEO David Casem told TechCrunch that the company blocked Estate’s accounts and that an investigation was underway.
Although the Estate is careful not to use outwardly explicit language that could incite or encourage malicious cyberattacks, the database shows that the Estate is used almost exclusively for criminality.
“These types of services are the backbone of the criminal economy,” said Alison Nixon, lead researcher at Unit 221B, a cybersecurity firm known for investigating cybercrime groups. “They make slow tasks efficient. This means more people are receiving scams and threats in general. More seniors are losing their pensions to crime — compared to the days before these kinds of services existed.”
Estate has tried to keep a low profile by hiding its website from search engines and bringing in new members by word of mouth. According to its website, new members can only log into the Estate with a referral code from an existing member, which keeps the number of users low to avoid detection by the communication providers that the Estate relies on.
Once through the door, Estate provides members with tools to search for their would-be victims’ previously compromised account passwords, leaving one-time passwords as the only barrier to hacking targets’ accounts. Estate’s tools also allow members to use custom scripts containing instructions to trick targets into replacing one-time passwords.
Some attack scripts are instead designed to validate stolen credit card numbers by tricking the victim into handing over the security code on the back of their payment card.
According to the database, one of the largest Estate calling campaigns targeted older victims on the assumption that “Boomers” are more likely to receive an unsolicited phone call than younger generations. The campaign, which represented about a thousand phone calls, was based on a script that kept the cybercriminal informed of each attempted attack.
“The old f— replied!” flashed on the console when the victim answered the call and “Life support unplugged” would indicate when the attack was successful.
The database shows that Estate’s founder knows their clientele is largely criminals, and Estate has long promised privacy for its members.
“We do not record data or require personal information to use our services,” Estate’s website states, which precludes the authentication checks that upstream telcos and technology companies typically require before letting customers onto their networks.
But this is not strictly true. The Estate recorded every attack its members carried out in painstaking detail dating back to the site’s launch in mid-2023. And the site’s founder maintained access to server logs that provided a real-time window into what was happening on his server Estate at any time, including every call made by its members and every time a member loaded a page on the Estate website.
The database shows that the Estate also monitors the email addresses of prospective members. One of these users said they wanted to sign up for Estate because they recently “started buying ccs” – referring to credit cards – and believed that Estate was more reliable than buying a bot from an unknown seller. The user was later approved to become a member of the Estate, records show.
The exposed database shows that some members trusted the Estate’s promise of anonymity by leaving snippets of their own identifiable information — including email addresses and electronic handles — in the scripts they wrote and the attacks they carried out.
The Estate’s database also contains attack scripts from its members, which reveal the specific ways attackers exploit weaknesses in the way tech giants and banks implement security features, such as one-time passwords, to customer identity verification. TechCrunch is not detailing the scenarios, as doing so could help cybercriminals carry out attacks.
Veteran security reporter Brian Krebs, who previously reported for a one-time password feature in 2021he said these types of criminal enterprises make it clear why you should “never provide any information in response to an unsolicited phone call.”
“It doesn’t matter who claims to be calling: If you didn’t initiate contact, hang up,” Krebs wrote. This advice still holds true today.
However, while services that offer the use of one-time passwords still provide better security for users than services that do not, the ability of cybercriminals to bypass these defenses shows that tech companies, banks, wallets crypto and telcos have more work to do.
Unit 221B’s Nixon said companies are in a “perpetual battle” with bad actors who want to abuse their networks and that authorities should step up efforts to crack down on these services.
“The missing piece is that we need law enforcement to catch the criminals who make themselves such a nuisance,” Nixon said. “Young people are deliberately making a career out of it because they convince themselves it’s ‘just a platform’ and ‘not responsible for the crime’ facilitated by their work.”
“They hope to make easy money in the fraud economy. There are influencers that encourage unethical ways to make money online. Law enforcement must stop this.”
Read more at TechCrunch:
