Three men have pleaded guilty to running a website which helped cybercriminals hijack victims’ bank accounts, even though they were protected with multi-factor authentication (MFA).
OTP Agency was run by: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
Criminals enrolling in the site were charged a monthly subscription fee: £30 for a “basic” package enabling MFA bypass on banking sites such as HSBC, Monzo and Lloyds, and an “elite” plan costing £380 for access to Visa and Mastercard verification sites. The National Crime Agency (NCA) clarified to Infosecurity that no Visa/Mastercard systems were actually compromised as a result.
According to an NCA video, OTP Agency would make automated calls to victims impersonating a banking employee, asking them to reveal their one-time password (OTP).
The caller ID would apparently be disguised to add legitimacy to the call.
Read more on MFA bypass: MFA Bypass Kits Account For One Million Monthly Messages
Over 12,500 People Targeted
The NCA began investigating the website in June 2020 and believes over 12,500 members of the public were targeted between September 2019 and March 2021, when it was shut down.
The agency claimed that the trio made at least £30,000 from their efforts, if criminal subscribers bought the basic package, rising to a possible £7.9m if they had gone for the elite plan.
Siddeeque promoted the website and provided technical support, while Picari was its main owner and developer, and promoted it on a Telegram group which had around 2200 members, the NCA claimed.
The three were charged with conspiracy to make and supply articles for use in fraud, with Picari also charged with money laundering. They will be sentenced at Snaresbrook Crown Court on November 2 2024.
Anna Smith, operations manager from the NCA’s National Cyber Crime Unit, urged online banking customers to remain vigilant.
“Criminals may pretend to be a trusted person or company when they call, email or message you,” she added. “If something seems suspicious or unexpected, such as requests for personal information, contact the organization directly to check using details published on their official website.”
Phishing kits are now even more sophisticated, enabling cybercriminals to bypass MFA even on authentication apps, according to researchers.