Skip to content

Telegram bots can now steal your one-time passwords

  • by
  • 2 min read

It has come to light that Telegram bots are now being used to steal one-time passwords most commonly used in two-factor authentication security methods. 

Researchers from Intel 471 reported that they’d seen an increase in the number of these services, with new methods coming up to bypass 2FA coming up in the past few months. Telegram bots are spearheading this growth.

A number of ‘services’ offering 2FA circumvention have been abusing Telegram since June. The app is being used to create and manage bots as well as sort of a customer support channel for cybercriminals using these services. 

In the News: Is Amazon’s Astro really the Astro we know?

Sending a different Telegram

These Telegram bots are being used to call potential victims, claiming to be a bank and lure them into handing over OTP codes. These phishing attempts work automatically and are working out well for cybercriminals; as the researchers pointed out by saying, “in these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts.”

Creating a bot requires a basic level of programming skill, but it’s much easier than developing custom malware for a particular system. Not to mention much more versatile. Besides, much like traditional botnets, Telegram bots can be leased out, meaning once a victim’s phone number is submitted, an attack can be carried out in a few taps. There are other bots targetting users in phishing and SIM-swap attacks as well.

Researchers have pointed out two bots in particular — SMSRanger and BloodOTPbot. SMSRanger is quite similar to Slack’s collaboration platform and can carry out attacks on services like PayPal, ApplePay, GooglePay and even banks or carriers. BloodOTPbot, on the other hand, is an SMS based bot that can generate automatic calls impersonating bank staff. 

In the News: Games are coming to Netflix subscriptions soon


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected].