CloudSEK researchers have found that threat actors have developed automated software programs that exploit OTP (One-Time Password) verification APIs to flood mobile devices with excessive OTP SMS messages.
These rogue scripts, when unleashed, hold the potential to cause targeted outages of telecommunication services, leading to financial and reputational damage for affected brands. The situation raises alarm about the potential for ” Multi-factor authentication (MFA) fatigue” or “exhaustion” attacks in scenarios of account takeover.
Rising Threat Landscape
CloudSEK’s contextual AI digital risk platform, XVigil, has uncovered multiple GitHub repositories containing references to global companies and their APIs. These APIs allow unlimited OTP SMS messages to be sent to any number, lacking rate limiting or captcha protection. This vulnerability has led to the abuse of these APIs by automated tools, resulting in increased API costs, legal repercussions, and reputational damage to affected brands.
Attack Chain Analysis
The attack follows a distinct chain of events:
· Collecting Target Phone Numbers: Threat actors input target phone numbers manually or import lists of numbers from files, with motivation varying from pranks to dedicated attacks.
· Continuous Operation: The software sends messages relentlessly until a preset limit is reached or manually stopped, inundating the target’s device with messages and calls.
· Impact on the Target: The continuous influx of messages and calls overwhelms the target device, potentially causing slowdowns, freezes, crashes, and significant disruption to normal device usage. This overload could also lead to “MFA fatigue” or “exhaustion” attacks, hampering the target’s ability to respond to genuine OTP requests.
“This attack could be used as a veil to hide illegitimate login attempts made by the threat actors to gain access to the users’ device. This also implies that while the attack is going on the user may miss out on critical notifications. Further, due to the constant request of OTPs a service might block your account and you might not be able to access it,” said Mudit Bansal, Cyber Threat Researcher, CloudSEK.
Legal Repercussions
Bombarding phones with SMS messages, even after activating DND (Do Not Disturb) services, constitutes harassment and nuisance under IPC Section 268, and further qualifies as theft, cheating, and dishonest inducement of property delivery under IPC Sections 378 & 420.
Accessibility and Financial Impact
CloudSEK’s findings also underline the accessibility and financial aspects of these malicious services:
· Numerous online tools enable anyone to launch such campaigns effortlessly.
· The tools are available for free, as the primary cost burden falls on the brands owning the SMS-sending APIs.
· A single OTP SMS could cost a brand up to 20 paisa.
Impacted Companies and Exposed APIs
The affected companies, categorized by region, are as follows:
India: 44 exposed APIs
Indonesia: 1 exposed API
Russia: 81 exposed APIs
Mitigation Strategies
For Brands:
· Implement Rate Limiting and Throttling to slow down automated attacks.
· Require User Authentication and Authorization to ensure only authorized users access the API.
· Deploy CAPTCHA and Human Verification to deter automated bots.
· Implement Abuse Detection and Blocking mechanisms to flag suspicious activity.
· Utilize Monitoring and Analytics tools to identify unusual behavior in real-time.
· Employ CloudSEK’s XVigil tool for GitHub repository scanning to detect API abuse.
For Users:
· Request tool owners to protect your phone number.
· Activate Do Not Disturb (DND) on your phone number through your telecom provider.
