Threat Actors Exploiting OTP APIs For Large-Scale SMS Bombing Attacks: CloudSEK

In one of the recent patterns in the spectrum of cyber attacks, threat actors are developing automated software programmes that exploit one-time password-generating endpoints to flood mobile devices with excessive OTP messages, according to a research report by cyber threat prediction and prevention company CloudSEK.

The research found numerous GitHub repositories with references to global organisations and their application programming interfaces. These APIs lack rate limiting and captcha protection, allowing an infinite number of OTP SMS messages to be delivered to any number.

The report shows APIs exploited according to region, with India having 44 exposed APIs and a 34.9% share of the total exposed APIs. Russia has the most number of exposed APIs—81—with a 64.3% share. E-commerce/online shopping is the sector with the highest percentage of exposed APIs—36.7%—followed by finance/online payments (14.3%) and communication/messaging apps and education services (8.2% each).

The abuse of OTP APIs can potentially lead to targeted outages of telecommunication services, the report says. A threat actor might send out a lot of these messages in the event of an account takeover, which could also result in multi-factor authentication fatigue or exhaustion attacks.

Such attacks can result in operational disruptions because of inaccessibility of telecommunication services. They can eventually lead to escalation of costs of maintaining the OTP-based API along with financial and reputational damage for affected brands, CloudSEK said.

“This attack could be used as a veil to hide illegitimate login attempts made by the threat actors to gain access to the users' device. This also implies that while the attack is going on, the user may miss out on critical notifications. Further, due to the constant request of OTPs, a service might block your account and you might not be able to access it,” said Mudit Bansal, cyber threat researcher, CloudSEK.

How Does SMS Bombing Work?

The first step in SMS bombing attacks is gathering target phone numbers. The user of the SMS bomber provides the target phone number(s) to which the SMSes will be bombarded. This data can be manually entered or imported from a file.

While in the case of a prank on a friend, a single number might be used, for bigger and targeted attacks, threat actors can gather phone numbers via "lead sellers" on dark web forums or even through platforms such as LinkedIn or Scribd. These numbers are then feeded into the software, which launches the attack by sending repeated and numerous requests to the target APIs.

According to the CloudSEK report, numerous online tools are available for free as the primary cost burden falls on the brands owning the SMS-sending APIs. Easy access to such tools enables anyone to launch such campaigns effortlessly. These tools run on the revenue generated by serving ads on their platform. 

What Is The Impact On The Target?

The target's device can become overwhelmed by the persistent barrage of calls and messages and eventually slow down, freeze or crash. Additionally, the target may continuously receive SMS notifications, making it next to impossible for them to utilise the device for other purposes.

This could result in “MFA fatigue” or “exhaustion” attacks, as was the case in the 2022 breach in Uber's corporate network. In Uber’s case, an employee was MFA prompt-bombed for more than an hour before the hacker ultimately got in touch with them over WhatsApp through a request that looked like an official one coming from Uber. On being informed that accepting the MFA request would stop further requests, the victim cooperated, reportedly causing the breach of Uber’s internal databases.

SMS bombing could also cause the receiver’s inbox to be chock-a-block with messages, preventing them from receiving new messages, some of which may be crucial.

Underlining the scale of SMS bombing attacks, the CloudSEK report cited an example that the sales operation of the targeted company could shut down entirely because of the constant bombardment of SMSes and calls.

What Are The Mitigation Measures?

The report lays down measures that organisations and users can take to mitigate the potential consequences of automated SMS bombing campaigns.

For organisations, these include:

• Rate Limiting And Throttling: Organisations can implement rate-limiting and throttle-control techniques for API calls, which can stop a single person or IP address from rapidly sending a high number of requests. Thus, automated attacks can be prevented by slowing the request volume.

• User Authentication And Authorisation: Users must be required to authenticate and receive permission before using the API. To make sure that only authorised users can access the API, OAuth tokens, API keys, or other means of authentication can be deployed.

• Captcha And Human Verification: Organisations should employ captcha challenges or other human verification methods for actions that require transmitting messages. This reduces the likelihood of automated bots misusing the services.

• Abuse Detection And Blocking: Algorithms that can identify patterns of abuse such as a rapid increase in requests from one source, should be deployed. Unusual activity should be automatically flagged, or blocked, and administrators alerted.

• Monitoring And Analytics: Monitoring and analytics tools to track API usage patterns should be implemented. These can assist in spotting unusual behaviour and taking action against potential attacks in real time.

For users, mitigation measures include:

• Ask the tool owners to put your phone number in the protected list.

• Activate the Do Not Disturb feature on your phone number through your telecom provider.