Singapore’s retail banks are slated to abolish one-time passwords (OTPs) for digital authentication in a span of ninety days, aiming to curtail phishing perils.
The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) proclaimed this mandate on July 9, 2024.
“Patrons who have enabled their digital token on their handheld device will henceforth utilize these tokens for account access through browsers or mobile banking applications,” MAS articulated.
“The digital token will authenticate customer logins, negating the need for an OTP that malefactors could purloin or deceive clients into revealing.”
MAS also advocates for customers to activate their digital tokens to fortify against assaults devised to pilfer credentials and commandeer accounts for fraudulent financial undertakings.
“This stratagem affords customers augmented safeguarding against unsanctioned account access,” declared Ong-Ang Ai Boon, ABS’s director. “Though it might engender some inconvenience, such measures are imperative to thwart scams and shield customers.”
Initially, OTPs served as an additional layer of security through two-factor authentication (2FA). However, cyber miscreants have concocted banking trojans, OTP bots, and phishing kits capable of capturing these codes through deceptive sites.
OTP bots, obtainable via Telegram and priced between $100 and $420, elevate social engineering by phoning users and coaxing them to input the 2FA code on their devices, facilitating the circumvention of account defenses.
It is paramount to note that such bots primarily aim to seize a victim’s OTP code, necessitating scammers to secure valid credentials via alternative avenues such as data breaches, dark web datasets, and credential-stealing webpages.
“The OTP bot’s principal function is to call the victim. Scammers rely on calls since verification codes are ephemeral,” remarked Kaspersky threat researcher Olga Svistunova in a recent exposition.
“While a message might remain unanswered, a call heightens the probability of code retrieval. A phone call also provides an opportunity to influence the victim using vocal intonations.”
Last week, SlashNext divulged details about an “end-to-end” phishing toolkit, FishXProxy, which, although ostensibly for “educational purposes only,” simplifies the technical hurdles for neophyte threat actors aiming to execute phishing campaigns at scale while eluding defenses.
“FishXProxy arms cyber malefactors with a potent arsenal for layered email phishing assaults,” the company asserted. “Campaigns commence with uniquely generated links or dynamic attachments, evading initial scrutiny.”
“Victims subsequently encounter sophisticated antibot systems employing Cloudflare’s CAPTCHA, filtering out security mechanisms. An ingenious redirection system cloaks true destinations, while page expiration settings impede analysis and facilitate campaign management.”
Another significant feature of FishXProxy is a cookie-based tracking system that enables attackers to pinpoint and monitor users across diverse phishing projects or campaigns. It can also fabricate nefarious file attachments utilizing HTML smuggling techniques, facilitating detection evasion.
“HTML smuggling is notably effective in circumventing perimeter security controls like email gateways and web proxies for two main reasons: It exploits the legitimate features of HTML5 and JavaScript, and it leverages various forms of encoding and encryption,” noted Cisco Talos.
The proliferation of mobile malware has also prompted Google to launch a pilot program in Singapore, aimed at thwarting users from sideloading specific apps that misuse Android app permissions to read OTPs and amass sensitive information.
