Recently, cybercriminals have significantly improved the methods of their attacks, using complex schemes for intercepting disposable confirmation codes (OTP) to obtain access to bank accounts and digital wallets of victims.
The main tool for scammers was automated phone calls, where attackers, independently or using pre-designed robotic replicas, pretended to be the security service of well-known brands. They convinced users to provide a disposable SMS code under the guise of protecting their accounts from fraudulent actions.
Operation, known as Estate and launched in mid-2023, allowed hundreds of attackers daily to make thousands of automated calls and gain unauthorized access to many accounts by bypassing multifactor authentication (MFA).
The main targets of these attacks were bank accounts, credit cards, and online services such as Amazon, PayPal, and Coinbase, with most victims residing in the United States.
A breakthrough in the fight against this fraud was a recent mistake by Estate administrators, resulting in a leak of the service’s internal database. This leak revealed information about the individuals behind the fraudulent operation and provided detailed logs of the attacks.
An analysis of this leaked database has allowed security researchers to understand the mechanisms of disposal code operations and identify vulnerabilities in the systems of various large companies.
Despite being advertised as a pentorian service on the internet, like many other modern fraudulent tools, Estate made efforts to hide its website from search results and restricted access to invitation-only to avoid infiltration by law enforcement or outsiders.
Ellison Nixon from Unit 221b IB emphasized that such services make cybercrime easier, more efficient, and more accessible, calling for increased enforcement efforts to combat this trend.
She noted that online crime, including the use of services like Estate, has become a popular choice among young individuals seeking easy ways to make money. Law enforcement must work diligently to eliminate opportunities for these individuals seeking “easy profit.”
The best defense against such fraudulent schemes is to never provide personal information in response to unsolicited calls, regardless of who the caller claims to be. Increased vigilance is crucial in avoiding deception in the age of rapid digital technology advancements.