As indicated by a CloudSEK report, this tactic has the potential to result in targeted disruptions of telecommunication services, leading to financial losses and damage to the reputation of affected brands.
In scenarios involving account takeovers, threat actors could engage in SMS spamming, leading to what’s known as “multi-factor authentication (MFA) fatigue” or “exhaustion” attacks, according to the cybersecurity company.
Dangers Posed to Users and Brands
CloudSEK’s AI-driven digital risk platform, XVigil, unveiled the discovery of numerous GitHub repositories containing references to Indian companies and their APIs. These APIs permit the sending of limitless OTP SMS messages to any number without rate limiting or CAPTCHA protection. This loophole results in the exploitation of these APIs by automated tools.
This method of attack can serve as a cover to obscure illegitimate login attempts made by threat actors seeking to gain access to users’ devices. Consequently, users might miss critical notifications during the attack. Additionally, due to the incessant demand for OTPs, a service might block a user’s account, denying them access.
Hacking Methods Directed at Phone Numbers
CloudSEK revealed that SMS bombers are utilized by users who supply target phone numbers or lists of numbers to receive the messages. Hackers can source phone numbers from sales department representatives through “lead sellers” on dark web forums, LinkedIn, or Scribd, enabling them to execute targeted attacks.
The tool operates by consistently sending messages until a predetermined limit is achieved or until the user manually terminates the operation. The influx of messages and calls can overwhelm the target device, potentially causing it to experience slowdowns, freezes, or even crashes.