In recent times, reports from leading research firms have highlighted a concerning trend in the realm of cybersecurity. Hackers are now employing highly sophisticated tactics to target individuals and businesses. A notable incident involves the creation of automated software programs that leverage one-time password (OTP) verification APIs to inundate mobile devices with an excessive barrage of OTP SMS messages.
As reported by CloudSEK, this novel approach carries the potential to trigger targeted disruptions in telecommunications services, resulting in significant financial losses and reputational damage to the impacted brands. One alarming outcome of this activity is the emergence of what experts term “multi-factor authentication (MFA) fatigue” or “exhaustion” attacks.
CloudSEK’s contextual AI digital risk platform, XVigil, has unveiled the existence of numerous GitHub repositories containing references to Indian companies and their associated APIs. These APIs have inadvertently paved the way for cybercriminals to flood any given phone number with unlimited OTP SMSes, without any hindrance from rate limiting or CAPTCHA safeguards.
This exploitation has the potential to mask unauthorized login attempts by threat actors seeking to gain unauthorized access to users’ devices. Additionally, users may miss out on crucial notifications during these attacks, and prolonged requests for OTPs might lead to service account blocks.
Mudit Bansal, a distinguished Cyber Threat Researcher at CloudSEK, emphasized, “Due to the incessant demand for OTPs, a service could potentially block your account, thereby denying access to vital accounts.”
CloudSEK further elaborated on the mechanics of these attacks. Hackers utilize an SMS bomber tool, wherein they input the target phone number(s) or a list thereof. This information can be gleaned from “lead sellers” operating within the shadowy corners of the dark web, or even from seemingly innocuous platforms like LinkedIn or Scribd. This data is then used to orchestrate a meticulously planned attack.
The SMS bomber tool relentlessly dispatches messages until either a predetermined limit is reached or until the operator decides to terminate the operation manually. The inundation of messages and calls can overwhelm the target device, causing it to experience a slowdown, freeze, or even a complete crash.
1 comment
Comments are closed.