Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks.
The decision was announced by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) on July 9, 2024.
“Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app,” the MAS said.
“The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing.”
The MAS is also urging customers to activate their digital tokens to safeguard against attacks that are designed to steal credentials and hijack their accounts for conducting financial fraud.
“This measure provides customers with further protection against unauthorized access to their bank accounts,” Ong-Ang Ai Boon, director of ABS, said in a statement. “While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers.”
While OTPs were originally introduced as a form of second-factor authentication (2FA) to bolster account security, cybercriminals have devised banking trojans, OTP bots, and phishing kits that are capable of harvesting such codes using lookalike sites.
OTP bots, accessible via Telegram and advertised for anywhere between $100 and $420, take social engineering to the next level by calling users and convincing them to enter the 2FA code on their phones to help bypass account protections.
It’s important to mention that such bots are mainly designed to plunder a victim’s OTP code, necessitating that scammers obtain valid credentials through other means such as data breaches, datasets available for sale on the dark web, and credential harvesting web pages.
“The OTP bot’s key task is to call the victim. It is calls that scammers count on, as verification codes are only valid for a limited time,” Kaspersky threat researcher Olga Svistunova said in a recent report.
“Whereas a message may stay unanswered for a while, calling the user increases the chances of getting the code. A phone call is also an opportunity to try and produce the desired effect on the victim with the tone of voice.”
Last week, SlashNext disclosed details of an “end-to-end” phishing toolkit dubbed FishXProxy that, while ostensibly meant for “educational purposes only,” lowers the technical bar for aspiring threat actors looking to mount phishing campaigns at scale while skirting defenses.
“FishXProxy equips cybercriminals with a formidable arsenal for multi-layered email phishing attacks,” the company noted. “Campaigns begin with uniquely generated links or dynamic attachments, bypassing initial scrutiny.”
“Victims then face advanced antibot systems using Cloudflare’s CAPTCHA, filtering out security tools. A clever redirection system obscures true destinations, while page expiration settings hinder analysis and aid campaign management.”
Another noteworthy addition to FishXProxy is the use of a cookie-based tracking system that allows attackers to identify and track users across different phishing projects or campaigns. It can also create malicious file attachments using HTML smuggling techniques that make it possible to evade sidestep detection.
“HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScript, and it leverages different forms of encoding and encryption,” Cisco Talos said.
The rise of mobile malware over the years has since also prompted Google to unveil a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read OTPs and gather sensitive data.
