These Properties Might Help Intercept OTPs | WhoisXML API

Threat Reports

Are Threat Actors Intercepting Your OTPs? These Cyber Resources Might Be Helping Them

A recently discovered banking Trojan1 that can restart its malicious routine was delivered using two cybersquatting domains targeting BBVA, a Spanish multinational financial services firm. The malware is aptly named “Revive” and can intercept one-time passwords (OTPs) and all other messages received on the infected device.

WhoisXML API researchers dissected and expanded the list of indicators of compromise (IoCs) in an effort to uncover more possible malware vehicles. Below are some of our findings.

  • We discovered 3,300+ cyber resources that contained the text strings used in the IoCs (i.e., “bbva,” “2fa + app,” “2fa + secure,” and “app + secure”).
  • Only 18% of these properties actively resolved to IP addresses.
  • About 7% of the cyber resources have already been flagged as malicious, most of which contained the string “bbva.”
  • While most of the live properties were parked or hosted 404 pages, 6% led to login pages.

Download a sample of the threat research materials now, or contact us to access the complete set of research materials.

---

  • [1] https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan
Try our WhoisXML API for free
Get started