Retail banking institutions in Singapore have been given three months to discontinue the use of one-time passwords (OTPs) for authentication when logging into online accounts, in an effort to reduce phishing attack risks.
The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) announced this decision on July 9, 2024.
“Customers who have activated their digital token on their mobile device will be required to use their digital tokens for bank account logins via the browser or the mobile banking app,” MAS stated. “The digital token will authenticate customers’ login without needing an OTP that scammers can steal or trick customers into disclosing.”
MAS is also urging customers to activate their digital tokens to safeguard against credential-stealing attacks that lead to financial fraud.
“This measure provides customers with further protection against unauthorized access to their bank accounts,” said Ong-Ang Ai Boon, director of ABS. “While it may cause some inconvenience, such measures are necessary to prevent scams and protect customers.”
Originally, OTPs were introduced as a second-factor authentication (2FA) method to enhance account security. However, cybercriminals have developed banking trojans, OTP bots, and phishing kits that can harvest these codes using lookalike sites.
OTP bots, available on Telegram for prices ranging from $100 to $420, take social engineering to a new level by calling users and convincing them to enter the 2FA code on their phones, thus bypassing account protections.
It is important to note that these bots mainly aim to steal the victim’s OTP code, requiring scammers to obtain valid credentials through other means such as data breaches, dark web datasets, and credential harvesting websites.
“The OTP bot’s main task is to call the victim. Scammers rely on calls because verification codes are only valid for a limited time,” explained Kaspersky threat researcher Olga Svistunova in a recent report.
“While a message may go unanswered for a while, a phone call increases the chances of obtaining the code. A phone call also provides an opportunity to influence the victim with the tone of voice.”
Last week, SlashNext revealed details of an “end-to-end” phishing toolkit called FishXProxy, which, although advertised for “educational purposes only,” lowers the technical barrier for aspiring threat actors to conduct large-scale phishing campaigns while evading defenses.
“FishXProxy equips cybercriminals with a formidable arsenal for multi-layered email phishing attacks,” the company noted. “Campaigns start with uniquely generated links or dynamic attachments, bypassing initial scrutiny.”
Victims then encounter advanced antibot systems using Cloudflare’s CAPTCHA, which filters out security tools. A clever redirection system obscures true destinations, while page expiration settings hinder analysis and aid campaign management.
Another significant feature of FishXProxy is a cookie-based tracking system that allows attackers to identify and track users across different phishing projects or campaigns. It can also create malicious file attachments using HTML smuggling techniques to evade detection.
“HTML smuggling effectively bypasses perimeter security controls such as email gateways and web proxies because it exploits legitimate features of HTML5 and JavaScript and uses different forms of encoding and encryption,” explained Cisco Talos.
Last month, cybersecurity firm Resecurity noted that cybercriminals are promoting a new phishing kit called V3B on Telegram and the dark web, capable of targeting customers of major banks in countries like Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy.
“V3B phishing kit supports over 54 financial institutions with customized and localized templates to mimic authentication and verification processes of online banking and e-commerce systems in the EU,” Resecurity reported. “The phishing kit’s price ranges from $130 to $450 per month.”
The rise of mobile malware over the years has prompted Google to launch a new pilot program in Singapore aimed at preventing users from sideloading certain apps that abuse Android app permissions to read OTPs and gather sensitive data.
 for authentication when logging into online accounts, in an effort to reduce phishing attack risks.){kind=link}