Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, cyber risk exposure management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Stop breaches before they happen
Realistic phishing simulations and training campaigns to strengthen your first line of defense
Stop adversaries with unrivaled visibility, powered by the intelligence of XDR, Agentic SIEM, and Agentic SOAR to leave attackers with nowhere left to hide.
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, security posture management, and attack surface management – all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Unify multi-cloud visibility, eliminate hidden exposure, and secure your future.
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Redefine trust and secure digital transformation with continuous risk assessments
Stay ahead of phishing, BEC, ransomware and scams with AI-powered email security, stopping threats with speed, ease and accuracy.
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Discover AI solutions designed to protect your enterprise, support compliance, and enable responsible innovation
Strengthen your defenses with the industry's first proactive cybersecurity AI – no blind spots, no surprises
The industry’s first proactive cybersecurity AI
Harness unparalleled breadth and depth of data, high-quality analysis, curation, and labeling to reveal meaningful, actionable insights
Secure your AI journey and eliminate vulnerabilities before attacks happen – so you can innovate with confidence
Shaping the future of cybersecurity through AI innovation, regulatory leadership, and trusted standards
Accelerate enterprise AI deployment with security, compliance, and trust
High-fidelity digital twins enable predictive planning, strategic investments, and resilience optimization
Prevent, detect, respond and protect without compromising data sovereignty
Extend your team with trusted 24/7 cybersecurity experts to predict, prevent, and manage breaches.
Augment security teams with 24/7/365 managed detection, response, and support
Assess, understand, and mitigate cyber risk with strategic guidance
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver proactive security services from a single, partner-centric security platform built for MSPs, MSSPs, and DFIR teams
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
Real-world stories of how global customers use Trend to predict, prevent, detect, and respond to threats.
See how cyber resilience led to measurable impact, smarter defense, and sustained performance.
Meet the people behind the protection – our team, customers, and improved digital well-being.
Hear directly from our users. Their insights shape our solutions and drive continuous improvement.
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
New Microsoft SharePoint zero-days exploited in the wild
Learn more about proactive protection >
Demo Series: Cloud Risk Management (August 21)
Spot the signals before a cloud breach happens >
Content has been added to your Folio
Mobile
Certain SMS PVA services allow their customers to create disposable user profiles or register multiple accounts on many popular online platforms. These services can be abused by criminals to conduct fraud or other malicious activities.
By: Zhengyu Dong, Ryan Flores, Vladimir Kropotov, Paul Pajares, Fyodor Yarochkin Read time: ( words)
Save to Folio
There has been an increase in short message service (SMS) phone-verified account (PVA) services in the last two years. SMS PVA services provide alternative mobile numbers that customers can use to register for online services and platforms. These types of services help circumvent the SMS verification mechanisms widely used by online platforms and services to authenticate new accounts. Malicious actors can register disposable accounts in bulk or create phone-verified accounts for criminal activities.
In the following sections, we share the results of our investigation into the operations of a SMS PVA provider that uses the site smspva[.]net. We provide further details in our research, “SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts.”
Elements of the SMS PVA Service Operations
Smspva[.]net and other SMS PVA services have essentially the same key characteristics:
This specific SMS PVA service provider is able to maintain many mobile numbers across different countries. It’s also interesting to note that the cost of maintaining these numbers exceeds the service rates charged to customers — so how, therefore, does this service manage to continue its business operations?
Malicious Android applications used to intercept SMS
In the course of our research, we found evidence that the capabilities of this particular SMS PVA operation are built on Android phones infected with SMS-intercepting malware.
We investigated this by pivoting via the API URLs and the website itself. We found that the API name and functionality of smspva[.]net is unique, but as we see in the Figure 2, enjoynut[.]cn has a very similar website hosted on the subdomain lm.enjoynut[.]cn.
Smspva[.]net and lm.enjoynut[.]cn have the same login pages with the same logo, as well as the same API documentation. Upon comparing user traffic between the two domains, we observed that smspva[.]net receives far more traffic. Because of this, we believe enjoynut[.]cn was used as a test server, while smspva[.]net is the production server.
The enjoynut[.]cn connection is an important pivot point as the domain is used by several Android malware variants.
The DEX file of interest on the graph is a file with sha1 e83ec56dfb094fb87b57b67449d23a18208d3091, which we detect as a variant of the AndroidOS_Guerilla malware. This particular DEX file uses cardking.ejoynut[.]cn as the debug command and control (C&C) and uses sublemontree[.]com as the production C&C, as seen in the following image.
This DEX file is designed to intercept the SMS received on the affected Android phone, check them against regular expression (regex) rules received from the C&C, and then send the C&C any text message that matches the regular expression.
Using these code snippets and C&C traffic as fingerprints, we were able to identify two more DEX files with the same functionality but different C&Cs, indicating an active development process and several versions of both the development code and production code of the Android malware.
Only text messages sent by specific services and matched by the regex provided by the C&C were intercepted. This is likely to prevent the user of the Android phone from discovering the malicious activity. The malware remains low-profile, collecting only the text messages that match the requested application so that it can covertly continue this activity for long periods. If the SMS PVA service allows its customers to access all messages on the infected phones, the owners would quickly notice the problem.
The SMS PVA service also controls the type of platforms that customers can receive text messages on (as listed in Figure 1). This means that the operators behind the service can make sure no obvious malicious activity occurs on the infected phones. If the service, for example, allowed the theft of two-factor authentication (2FA) for banking apps, then the real users would be alerted and take action, which would then result in the SMS PVA service losing its asset.
Use of residential proxies
Online platforms and services often authenticate new accounts by validating the location of the user during registration. For example, an IP address might be required to match the geographical location of the phone number used for the account.
To circumvent this, SMS PVA users use third-party IP masking services, such as proxies or virtual private networks (VPNs), to change the IP address that will be recorded when they try to connect to a desired service. Using Trend Micro™ Smart Protection Network™ (SPN) telemetry, we have identified that the users of SMS PVA services extensively use a variety of proxy services and distributed VPN platforms to bypass the IP geolocation verification checks.
User registration requests and SMS PVA API requests often come from an exit node of a VPN service or a residential proxy system. This means that the users of SMS PVA services typically use them in combination with some sort of residential proxy or a VPN service that allows them to select the country of the IP exit node to match the telephone number used to register the service.
Security implications of SMS PVA services and their effects on SMS verification
SMS verification has become the default authentication method for many online platforms and applications. Many IT departments treat SMS verification as a “secure” black box validation tool for user accounts. Currently, however, online services and platforms should be wary about heavily relying on SMS verification. These SMS PVA services prove that cybercriminals are indeed able to defeat SMS verification at scale. This also means that there could be authenticated and verified accounts on platforms that behave like bots, trolls, or fraudulent accounts.
"Authentic user behavior" on certain platforms can be manipulated by malicious actors with SMS PVA accounts. This means that a platform could incur increased costs due to scam and fraud. A platform might even be involved (directly or indirectly) with personal injury or damage to property.
Based on previous uses of fake accounts, we can predict how threat actors will use these services in their scams and criminal activities.
Anonymity tool
Cybercriminals use disposable numbers for many different activities because they can register accounts without worrying about being traced. Also, because the infected mobile phone numbers they use are attached to real people, law enforcement inquests about their accounts will be traced to another person.
We saw one example of misuse linked to a buy-now-pay-later scheme. In this example, several malware samples used SMS PVA services to acquire phone numbers and linked those numbers to existing online payment service accounts. Afterward, the malicious actors attempted purchase transactions from an online shopping site. Although we only identified a few samples of such activities, we believe that when automated, these accounts can be used at large to perform illicit purchases or money laundering.
These services can also be used to avoid responsibility for damages or illegal activity on commerce platforms. In 2020, a Russian car-sharing service accused a man of being involved in a car accident. However, it was revealed that the account used for the car-sharing service was a fraudulent account set up using the accused man’s name and disposable SIM cards for verification.
Coordinated inauthentic behavior
Coordinated inauthentic behavior is often used to distribute and amplify information (often misinformation) in social networks. This can be done at scale, fast, and with the necessary speed and precision using SMS PVA services. Large campaigns can be used to manipulate public opinion on brands, services, political views, or government programs such as vaccination campaigns. Organizers of fake news can even use SMS PVA services to create online troll armies.
Some SMS PVA services have thousands of compromised smartphones spread across various countries. The service can allow customers to register social media accounts in bulk and in specific countries that the actors behind these services are targeting.
Abuse of sign-on bonuses
Sign-on bonuses (often given whenever a new account is registered) can also be abused using the SMS PVA service. For example, Bolt, a ride-hailing service popular in Eastern Europe, Africa, and Western Asia, incentivized new sign-ons by giving away free ride credits for every new account. Some SMS PVA services realized this as a potential monetization scheme and even advertised having “unlimited discounted Bolt rides” to persuade people to use the SMS PVA service.
Conclusions and recommendations
The core security issue is that an enterprise has the ability to monitor and intercept text messaging from tens of thousands of devices all around the world, and then profit from this interception by offering the service to whoever can pay for it. Another chilling thought is that the customizable regular expression patterns supplied by the C&C mean that the SMS interception capability is not limited to verification codes. It can also be extended to the collection of one-time password (OTP) tokens or even used as a monitoring tool by oppressive regimes.
The SMS PVA service operation not only shows the inadequacy and insufficiency of one-time SMS verification as the primary means of validation, but also highlights the need for better mobile security and privacy. The malware that infects these phones might be unwittingly downloaded by users, or could imply a gap in supply-chain security.
Trend Micro is able to detect the malicious code and block traffic to C&C servers. But a comprehensive solution requires challenging built-in fundamental assumptions with respect to account verification, more effective content moderation, and enhancing smartphone security.
To read more about this threat, download our research paper, “SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts.”
Indicators of Compromise (IOCs)
Domains:
Zhengyu Dong
Mobile Threats Analyst
Ryan Flores
Sr. Manager, Threat Research
Vladimir Kropotov
Sr. Threat Researcher
Paul Pajares
Threats Analyst
Fyodor Yarochkin
Sr. Threat Researcher
Select a country / region
Experience our enterprise cybersecurity platform for free