- Notícias sobre segurança
- Cybercrime & Digital Threats
- Can You Rely on OTPs? A Study of SMS PVA Services and Their Possible Criminal Uses
Download SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts
Short message service (SMS) verification has become the default authentication for many online services. These platforms assume that SMS verification is enough to guarantee the “one-account-per-person-per-phone” policy. In fact, many IT departments across the world treat SMS verification as a “secure” validation tool for user accounts.
Over the past couple of years, we have noticed an increase in online sellers offering SMS phone verified accounts (PVA) services. SMS PVA services are used to circumvent the SMS verification mechanism by providing their customers with mobile numbers to create accounts in various online services and platforms. However, this type of service can be abused by cybercriminals to register disposable accounts in bulk or create phone-verified accounts for purposes of conducting fraud or other criminal activities.
Unlike older PVA abuse methods, modern SMS PVA services only sell the actual verification codes needed at the time of account registration. Our investigation into SMS PVA services led us to discover that at least one operator has built their service on top of a botnet involving thousands of infected Android phones. There are two possibilities here: Phones might be infected through a piece of malware that is accidentally downloaded by the user, or phones might be preloaded with malware during manufacturing. We discuss these issues further in our full report.
The affected Android phones are used to receive, parse, and report the SMS verification codes without their owners’ knowledge and consent. By using infected phones and focusing on account verification codes, SMS PVA service operators can offer low-cost access to thousands of mobile numbers in different countries. This enables cybercriminals to register new accounts in bulk and use them for malicious activities.
This report outlines the crimes and actions that are enabled by such services, as well as the implications of these services with regard to the integrity of SMS account verification. Our full report dives into one specific SMS PVA service and shows exactly how it operates.
SMS verification is trusted by countless organizations, from small selling platforms to multinational organizations providing critical services. It is therefore no surprise that cybercriminals and scammers are constantly on the lookout for any way to abuse and take advantage of this trust. Unfortunately, companies offering SMS PVA services provide them with the assets they need for malicious activities.
Based on previous uses of fake accounts, we can infer the criminal activities that malicious actors can use SMS PVA services for. By highlighting these possible misuses, we hope that our research serves as a warning for enterprises that rely on SMS account verification, as well as governing bodies that use it as an authentication system, to fortify their defenses.
The proliferation of online abuse from fake accounts has only become more widespread as the pandemic has forced many people and organizations to broaden their internet presence. Many enterprises have opened online platforms that use SMS verification to authenticate users.
This type of verification has become a widely accepted method of moderating online accounts and keeping fake personalities or bots off online platforms. However, as we see discussed here, SMS PVA services easily take advantage of this system and help malicious actors conduct widespread scams and fraud. We hope that this report highlights the inadequacy and insufficiency of one-time SMS verification as the primary means of account validation.
Moving forward, online platforms should recognize the weaknesses of this verification method and consider other countermeasures. As for users worried about phone security, Trend Micro Mobile Security Solutions can detect and mitigate malicious applications and block traffic to C&C servers. However, smartphone manufacturers should also be vigilant about security by keeping an eye on their product, from firmware creation to assembly and shipping. It will also take concrete action from authentication services and creators of online platforms to improve SMS verification and prevent the system of SMS service fraud from further flourishing.
To read more, download our full report, “SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.