Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when logging into online accounts to reduce the risk of phishing attacks.
The Monetary Authority of Singapore (MAS) and the Association of Banks of Singapore (ABS) announced the decision on 9 July 2024.
“Customers who have activated their digital token on their mobile device will need to use their digital tokens to log into their bank accounts via a browser or mobile banking app,” MAS said. said.
“The digital token will authenticate customers’ logins without the need for a one-time password that fraudsters can steal or force customers to reveal.”
MAS also urges customers to activate their digital tokens to guard against attacks aimed at stealing credentials and hijacking their accounts to commit financial fraud.
“This measure provides customers with additional protection against unauthorized access to their bank accounts,” ABS director Ong-Ang Ai Boon said in a statement. “Although they may cause some inconvenience, such measures are necessary to prevent fraud and protect customers.”
While one-time passwords were originally introduced as a form of second-factor authentication (2FA) to increase account security, cybercriminals have developed banking trojans, OTP botsand phishing kits which are able to collect such codes using similar sites.
Available through Telegram and advertised for between $100 and $420, the OTP bots take social engineering to the next level by calling users and convincing them to enter a 2FA code on their phones to bypass account protection.
It is important to note that such bots are mainly designed to steal the victim’s OTP code, which requires fraudsters to obtain valid credentials through other means such as data leaks, datasets available for sale on the dark web, and credential harvesting web pages.
“The main task of the OTP bot is to call the victim. Fraudsters rely on calls, because verification codes are only valid for a limited time,” Kaspersky threat researcher Olga Svistunova said. said in a recent report.
“While the message may go unanswered for a while, calling the user increases the chances of receiving the code. The phone call is also an opportunity to try to produce the desired effect on the victim with the tone of voice.’
Last week, SlashNext revealed the details of the “end-to-end” a set of phishing tools called FishXProxy, which, although purportedly intended for “for educational purposes only“, lowers the technical bar for novice threat actors looking to mount large-scale phishing campaigns that bypass protections.
“FishXProxy gives cybercriminals a huge arsenal for multi-layered email phishing attacks,” the company said in a statement. noted. “Campaigns start with uniquely crafted links or dynamic attachments, bypassing initial verification.”
“Victims then encounter advanced anti-bot systems that use Cloudflare’s CAPTCHA, filtering out security tools. A smart redirect system hides true destinations, while page expiration settings prevent analytics and help with campaign management.”
Another noteworthy addition to FishXProxy is its use of a cookie-based tracking system that allows attackers to identify and track users across different phishing projects or campaigns. It can also create malicious file attachments with Contraband HTML techniques to avoid sidestepping detection.
“HTML smuggling is quite effective at bypassing perimeter security elements such as email gateways and web proxies for two main reasons: it abuses legitimate HTML5 and JavaScript features, and it uses various forms of encoding and encryption,” Cisco Talos said. said.
The rise in mobile malware over the years has also prompted Google to do so to reveal a new pilot program in Singapore that aims to prevent users from downloading certain apps that abuse Android app permissions to read OTPs and collect sensitive data.