What to know: Visa reveals the dark side of token bridges

This article briefly:
Visa’s report shows that threat actors are using new technologies and techniques to carry out fraud schemes, especially in the area of ​​transaction authentication.
Social engineering, phishing kits, and bots are often used to obtain one-time passwords (OTPs) from cardholders.
Threat actors are exploiting Token Bridge vulnerabilities to steal millions of dollars.
Visa, one of the world’s largest payment processors, has released a report on payment fraud disruptions over the past six months. The report shows that threat actors have been using new techniques and technologies to carry out fraud schemes, particularly in the area of ​​transaction authentication.
The report also highlighted the vulnerability of token bridges to theft, which has become a major concern in the cryptocurrency community.
Visa’s findings
One of the biggest threats in the consumer space is the use of social engineering to obtain card data or take over accounts. In many cases, threat actors claim to be employees of the cardholder's bank and ask for sensitive information.
These schemes often result in the compromise of one-time passwords (OTPs), tokenized/single-use PANs, or sensitive user account data such as banking login credentials (username/password).
Threat actors also use custom phishing kits to facilitate bypassing multi-factor authentication (MFA). These phishing kits use reverse proxies, allowing fraudsters to act as a man-in-the-middle (MiTM) between legitimate consumers and legitimate websites.
This approach presents legitimate websites to consumers and operates as an invisible intermediary, which reduces consumer suspicion.
The actor can then collect any information the consumer enters into the website, including OTPs, usernames, passwords, and session cookies.
Threat actors exploit Token Bridge to steal millions of dollars
Visa’s report shows that token bridges have become a preferred target for thieves in 2022. The report identifies techniques such as social engineering, ad fraud, bots and phishing kits used to obtain OTPs from cardholders, malware targeting issuers to access and change customer contact details, and token fraud using social engineering.
The report also highlights an incident in late March 2022 in which an organization was attacked by threat actors who infected user endpoints with an unidentified malware variant.
The actor ultimately moved laterally within the victim's environment and exfiltrated the credentials of an administrative user of the mobile banking application portal.
This access was then used to edit specific customers' contact information, as well as increase limits on customer accounts. The changed information included the mobile device number, which enabled the threat actors to bypass one-time password (OTP) authentication as the OTP was sent to the new mobile device.
Actors took advantage of increased account limits and altered customer information to monetize illicit access through fraudulent fund transfers within a short period of time.
Similar tactics, techniques, and procedures (TTPs) are frequently used by actors to conduct ATM cash-out attacks, deploy malware on victim issuer networks, access the cardholder data environment, and increase limits on a specific number of payment accounts.
The mule network then used these accounts to withdraw large amounts of cash from ATMs. Additionally, the threat actors used similar methods to take over customer accounts and change contact information, which enabled the threat actors to bypass OTP authentication during transactions.
Threat actors are using increasingly sophisticated methods to conduct fraudulent schemes, and the vulnerability of token bridges has become a major concern for the cryptocurrency community.