What is SMS/OTP Bombing and how to prevent it
Recently I experienced an OTP/SMS bombing prank. The person was using some apps/websites for bombing OTP messages of different vendors. I am attaching the screenshots of these messages. I received around 15–20 OTP messages within 1 min.
What are the apps/website that people use to do these pranks?
After receiving these messages I tried to search on Google and gathered some information. Basically the first preference of the people is to use an app or a website for these things. If u google SMS Bomb prank the very first app u will get is BOMBITUP (https://www.bombitup.net/). It is a very famous app among college students for doing these pranks with their friends. Although this app is not available is on AppStore so you have to install it with the APK that is provided on their website. Downloading such kinds of APKs from a third-party source is very dangerous as it can contain rootkits.
(If u want to try it for educational purpose try it in some online android Emulator or you can also try on Android Studio’s Emulator.)
Another way a person can prank you is by using this website SMS BOMBER
How can we prevent it?
Both the website and Android App that I listed above contain a protection list. If your number is on that list then no one can perform this attack on your number. You can see that duration of both the list are different one is 3 weeks and the other is permanent.
Still getting these SMS/OTP Bombs even after protecting number?
If you are still getting these SMS even after adding your number to the protection list then it might be because the person is using a script when calls the OTP API of that company that they use for login. In these cases, it is quite difficult to get rid of these messages. If a person is using this script technique then it might be because he wants to take revenge with you. This can be counted in cyberbullying and you can report it to the cyber cell. (I am not a LAW student so I do not know a lot about the punishment and other things)
But it is quite difficult to find the culprit. Besides reporting to the cyber cell you can report to the companies that their OTP API’s are not secure enough as someone from outside is accessing it. The company will change it and the attacker will lose the API access.
Technical things involved in SMS BOMB
(This is only for educational purpose, it will be a part of cyberbullying if used for the wrong purposes)
Every company uses its API to send OTP for login, forgot password, etc purposes. There are many companies that do not look into the security aspects of these API and as a result, people find a way to access those APIs.The apps and websites that I posted above uses these API and make a GET/POST request with their scripts which results into an OTP SMS.
A Working example (Only for educational Purpose)
There is an unsecured API with the following link
https://securedapi.confirmtkt.com/api/platform/register?mobileNumber=<mobile number>Instead of <mobile number> enter your mobile number, it will send an OTP SMS to your number.
This example was working when I was writing this blog, it may not work in the future.
Can we get caught while doing this?
Yes !!!! Well, it is quite difficult to catch anyone who is doing this on your own but if the police get involved in this and have the court order then the company will have to share the IP addresses of those who accessed their API, and then they can match the timings of the message and API request. Also, your activity logs will be shared by your ISP (Internet Service provider). So if you are doing SMS bombing with bad intention then you can face some serious consequences.
I tried to Send Mails to the company you can see the response
In their response, they are saying that it is rate limited i.e. from each IP address a fixed number of API calls can be made.
