Can You Rely on OTPs? A Study of SMS PVA Services and Their Possible Criminal Uses

SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts Download SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts




SMS PVA services allow their customers to create disposable user profiles or register verified accounts on many popular platforms. Unfortunately, criminals can misuse these services to conduct fraud or other malicious activities.



Short message service (SMS) verification has become the default authentication for many online services. These platforms assume that SMS verification is enough to guarantee the “one-account-per-person-per-phone” policy. In fact, many IT departments across the world treat SMS verification as a “secure” validation tool for user accounts.

Over the past couple of years, we have noticed an increase in online sellers offering SMS phone verified accounts (PVA) services. SMS PVA services are used to circumvent the SMS verification mechanism by providing their customers with mobile numbers to create accounts in various online services and platforms. However, this type of service can be abused by cybercriminals to register disposable accounts in bulk or create phone-verified accounts for purposes of conducting fraud or other criminal activities.


Unlike older PVA abuse methods, modern SMS PVA services only sell the actual verification codes needed at the time of account registration. Our investigation into SMS PVA services led us to discover that at least one operator has built their service on top of a botnet involving thousands of infected Android phones. There are two possibilities here: Phones might be infected through a piece of malware that is accidentally downloaded by the user, or phones might be preloaded with malware during manufacturing. We discuss these issues further in our full report. 

The affected Android phones are used to receive, parse, and report the SMS verification codes without their owners’ knowledge and consent. By using infected phones and focusing on account verification codes, SMS PVA service operators can offer low-cost access to thousands of mobile numbers in different countries. This enables cybercriminals to register new accounts in bulk and use them for malicious activities.

This report outlines the crimes and actions that are enabled by such services, as well as the implications of these services with regard to the integrity of SMS account verification. Our full report dives into one specific SMS PVA service and shows exactly how it operates.

How can criminals abuse SMS PVA services? 

SMS verification is trusted by countless organizations, from small selling platforms to multinational organizations providing critical services. It is therefore no surprise that cybercriminals and scammers are constantly on the lookout for any way to abuse and take advantage of this trust. Unfortunately, companies offering SMS PVA services provide them with the assets they need for malicious activities. 

Based on previous uses of fake accounts, we can infer the criminal activities that malicious actors can use SMS PVA services for. By highlighting these possible misuses, we hope that our research serves as a warning for enterprises that rely on SMS account verification, as well as governing bodies that use it as an authentication system, to fortify their defenses.








Anonymity
Read more

Coordinated inauthentic behavior
Read more

Abuse of sign-in bonuses
Read more

Scams and message-based fraud
Read more

Who are affected by these services? 

Consumers

  • Owners of infected smartphones are unwitting and unknowing victims. Their privacy is threatened because these services have access to private data, messages, and applications.
  • The mobile numbers of the victims can be used in illegal schemes, and the unwitting users can be implicated as a result of their infected devices.
  • Customizable regular expression patterns supplied by the command and control (C&C) means that the SMS interception capability is not limited to verification codes alone. Rather, it can be extended to the collection of OTP tokens or even used as a monitoring tool

Online platforms and services

  • SMS verification can now be defeated at scale, which means that it is not completely reliable as a method of user authentication.
  • Verified accounts are not a guarantee of authentic behavior — there can be multiple verified accounts that are fraudulent and behave as bots.
  • User behavior models that don’t take into account fraudulent activity from verified users are probably inaccurate.  

Single sign-on services

  • Single sign-on (SSO) allows users to use a single set of authentication credentials to log into a group of services. For example, Google or Apple accounts can be used to log into other platforms. These accounts are verified through an SMS confirmation code, but all other communication is likely made through the platform or app itself.
  • Malicious actors can use SMS PVA services for bulk account creation on major platforms since access to the phone and the text message is required only once.
  • Using SMS PVA services to create these accounts can also lead to risks of user impersonation and identity theft. For example, government portals and financial services often enforce the one-account-per-person policy simply through SMS confirmation.
allText">Figure 3. Countries in which Void Balaur email targets were located (companies were targeted via corporate email addresses; individuals were targeted via private email addresses)

Security recommendations

The proliferation of online abuse from fake accounts has only become more widespread as the pandemic has forced many people and organizations to broaden their internet presence. Many enterprises have opened online platforms that use SMS verification to authenticate users.   

This type of verification has become a widely accepted method of moderating online accounts and keeping fake personalities or bots off online platforms. However, as we see discussed here, SMS PVA services easily take advantage of this system and help malicious actors conduct widespread scams and fraud. We hope that this report highlights the inadequacy and insufficiency of one-time SMS verification as the primary means of account validation.  

Moving forward, online platforms should recognize the weaknesses of this verification method and consider other countermeasures. As for users worried about phone security, Trend Micro Mobile Security Solutions can detect and mitigate malicious applications and block traffic to C&C servers. However, smartphone manufacturers should also be vigilant about security by keeping an eye on their product, from firmware creation to assembly and shipping. It will also take concrete action from authentication services and creators of online platforms to improve SMS verification and prevent the system of SMS service fraud from further flourishing.

To read more, download our full report, “SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts.” 

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.