One of our colleagues recently woke up to hundreds of OTP messages from food delivery platforms like Zomato, Zepto, and Licious, all within a span of a few hours. He had just become the victim of what is called SMS Bombing where a user’s number is bombarded with a large number of messages or even OTP calls within a very short period of time with a clear intention to harass a user and disrupt the normal working of a device.
Over the last 24 hours I have been getting hundreds of OTP calls and messages. Mostly from Licious, @ZeptoNow @zomato @ByjusSupport etc. Any idea what happening?
— Nandagopal Rajan (@nandu79) July 21, 2022
Mehul Bhandari, 32, a software developer based in Vapi tells indianexpress.com that he was bombarded with hundreds of OTP messages from Flipkart, Apollo, Snapdeal, and ok credit. “For several days, I would get hundreds of OTP SMS, and it would irritate me.” He even tried registering a complaint with the cyber police, but that didn’t stop the spam messages. “Ultimately, I researched and downloaded the app, and blacklisted my number.”
These pranks are run using freeware and their apk files available to download online. Some of the popular SMS bombing apps are SMSBomber, BombItUp, and TXTBlast among others.
According to Sourajeet Majumder, an independent cyber expert, in most cases, these websites use vulnerable API points of other firms which are actually used to send OTPs, and texts to legitimate users for login, password reset etc. “However, attackers exploit these APIs by making GET/POST requests with their scripts which in turn automates the sending of messages and helps them to perform SMS bombing attacks.”
It is very easy to use SMS bomber tools. Users have to just enter the number, and value (how many messages you want to send), hit the submit button and wait until the success alert.
Legal experts believe using SMS bombers qualifies as a form of harassment. “Such apps/websites do not have a proper privacy policy or terms of service. Although it calls itself a tool for fun, this has the potential to create immense harm. Incessant messages can be a nuisance for the person targeted. This can be easily used to harass persons. However, the terms of service state that it can be used only on friends and family and with consent, but there is no way to monitor this,” said Prasanth Sugathan, Legal Director at SFLC.in.
Bombarding of SMSes even after activating DND service on one’s phone number is not just a form of harassment and nuisance (I.P.C Section 268), but “are a trap, bait, and a criminal act of theft, cheating and dishonestly inducing delivery of property under I.P.C Sections 378 & 420,” said Bombay High Court lawyer Satya Muley. “Under IT Act 2000, Section 43-A, the onus is also on the telecom operators and corporates to implement security safeguards to protect the personal data of their clients who are at risk of such phishing scams, otherwise the corporates shall be liable to pay damages in the form of compensation to the victims, for causing wrongful loss to them. It also amounts to an invasion of a person’s privacy,” he adds.
Majumder advises that a number of websites which provide SMS Bombing facilities also provide options to protect your number. “Once a number is saved in the protection list, one cannot use that particular website to SMS bomb you.”
Meanwhile, users can try anti-SMS Bombers which are tools that automatically block the incoming messages from a particular sender if an OTP or same SMS occurs more than three times. “Users can also try reaching out to the security teams of the firms from whom they are receiving the messages. This might help the firm to patch the vulnerable API which will, in turn, make it impossible for attackers to use it for SMS Bombing,” he added.

Mehab QureshiMehab is a Technology Journalist at Indianexpress.com. He is intereste… read more

source