Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping.
Payoneer is a financial services platform providing online money transfer and digital payment services.
The users report that right before this happened, they received an SMS requesting approval from a password reset on Payoneer, which they didn't grant.
Local journalists have been interviewing victims and tracking the hacks and discovered that most affected users were customers of the mobile service providers Movistar and Tuenti, with the majority using Movistar.
This has raised suspicions that a recent Movistar data leak may be behind the account hacks, but the data leak did not expose users' email addresses, which are required to reset passwords on Payoneer accounts.
Another theory is that the SMS provider used to deliver OTP codes was breached, allowing the threat actors to access codes sent by Payoneer.
An official statement from Movistar shared by journalist Julio Ernesto Lopez does not address this theory, simply stating that the telecom provider is not responsible for messages sent through its network.
Payoneer has not provided specific answers about the attack yet but acknowledged the issue and mentioned it is working with authorities to address the fraud, which it believes is the result of phishing.
Tech reporter Juan Brodersen received a statement from Payoneer that puts the blame on the users, alleging that they clicked on the URLs in the SMS phishing texts and then entered their login details on phishing pages.
Many affected by the account hacks state that they did not click on phishing links, accusing Payoneer of attempting to deflect responsibility and failing to acknowledge a potential error or vulnerability within the platform.
Lopez told BleepingComputer that Payoneer requires a new SMS OTP code to be entered when you add a new destination address and then again when you wire money.
If this was a phishing attack stealing OTP codes for the password reset, the threat actors should not have had access to later OTP codes required for these transactions.
While the hacks may be allowed by a 2FA bypass bug, like we saw last year with Comcast, other countries would likely be affected by the attacks.
A significant weakness in Payoneer's system is its reliance on SMS-based 2FA, further compounded by the platform's password recovery process, which only requires an SMS code.
BleepingComputer has contacted Payoneer with a request for a comment on the above, the status of their investigation, and whether they plan to offer restitution in the case that a weakness in its system is discovered to be the source of the hacks, but we have not heard back yet.
Until the situation clears up on who's to blame and what exactly happened, Payoneer users in Argentina are advised to withdraw funds from their accounts or disable SMS-based 2FA and reset their account password.
New phishing attack steals your Instagram backup codes to bypass 2FA. Google: Russian FSB hackers deploy new Spica backdoor malware.
Microsoft disrupts Russian hackers' operation on NATO targets.
UK and allies expose Russian FSB hacking group, sanction members.
Charming Kitten hackers use new 'NokNok' malware for macOS..
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 19 Jan 2024 20:30:31 +0000