Three sentenced over OTP.Agency MFA fraud service
Three men have been sentenced at London’s Snaresbrook Crown Court after pleading guilty to a series of cyber crime offences relating to OTP.Agency, an underground ‘subscription’ service that enabled cyber criminals to buy access to victims’ online accounts, including personal bank accounts, to take them over, commit fraud and steal money.
Callum Picari, 23, of Hornchurch in Essex; Vijayasidehurshan Vijayanathan, 21, of Aylesbury in Buckinghamshire; and Aza Siddeeque, 19, of Milton Keynes in Buckinghamshire, enabled criminals to conduct social engineering attacks against their victims to trick them into disclosing personally identifiable information (PII).
This data included one-time passcodes (OTPs) designed to be used in legitimate multifactor authentication (MFA) challenges.
Cyber criminals and fraudsters could avail themselves of a tiered service plan via the OTP.Agency site. The basic package, sold for £30 a week, had access to a spoof call bot designed to fool victims; while the elite plan, which cost £380 a month, offered services such as a bespoke text-to-speech cool to create automated calls, and call scripts specifically written by the defendants.
During their investigation, National Crime Agency (NCA) officers recovered scripts used by criminals pretending to call from the likes of BT, HMRC, Mastercard, Sky, Virgin Media and Visa.
The NCA, which began its investigation in 2020 and believe that more than 12,500 members of the public may have been targeted with over 65,000 over the 18 months from September 2019 to March 2021. The precise amount of money it made has not yet been disclosed, but if the majority of users bought the top tier package, it could have run to millions of pounds.
“As this case shows, the NCA has the ability to disrupt and dismantle websites like www.OTP.Agency, which cause harm to the public, and bring those responsible to justice,” said Tim Court, senior manager at the NCA National Cyber Crime Unit.
“We would urge anyone using online banking services to be vigilant. Criminals can pretend to be a trusted person or company when they call, email or message you. If something seems suspicious or unexpected, such as requests for personal information, contact the organisation directly to check using details published on their official website.”
Craig Rice, CEO of the Cyber Defence Alliance, added: “This is another example of UK law enforcement’s determination to target criminal services which are industrialising fraud.
“The Cyber Defence Alliance were able to identify the impact of this service on UK financial services and support NCA investigators, leading to the disruption and arrest of those involved. Law enforcement working with industry makes for a formidable alliance that will disrupt criminal networks.”
Criminal network
Prior to its shutdown, the OTP.Agency service was owned and developed by Picari, who was also its main beneficiary. Picari advertised his operation on a 2,200-strong Telegram group, promising users “profit within minutes”.
Vijayanathan and Siqddeeque also undertook promotional activities, while Vijayanathan helped with admin duties and managed chat channel moderators, while Sidddeeque was engaged in technical support work.
Following their arrests, the trio were charged with conspiracy to make and supply articles for use in fraud, while Picari was additionally charged with money laundering offence. All three initially denied their involvement, but later changed their pleas.
Picari has now received a two-year-and-eight-month prison term, while his accomplices have been given 12-month community orders and made to pay costs of £760 each. They will also have to undertake 200 and 160 hours of community service respectively.
The NCA added that it has began recovery proceedings against Picari.
#sentenced #OTP.Agency #MFA #fraud #service