Can You Rely on OTPs? A Study of SMS PVA Services and Their Possible Criminal Uses
Download SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts
Short message service (SMS) verification has become the default authentication for many online services. These platforms assume that SMS verification is enough to guarantee the “one-account-per-person-per-phone” policy. In fact, many IT departments across the world treat SMS verification as a “secure” validation tool for user accounts.
Over the past couple of years, we have noticed an increase in online sellers offering SMS phone verified accounts (PVA) services. SMS PVA services are used to circumvent the SMS verification mechanism by providing their customers with mobile numbers to create accounts in various online services and platforms. However, this type of service can be abused by cybercriminals to register disposable accounts in bulk or create phone-verified accounts for purposes of conducting fraud or other criminal activities.
Unlike older PVA abuse methods, modern SMS PVA services only sell the actual verification codes needed at the time of account registration. Our investigation into SMS PVA services led us to discover that at least one operator has built their service on top of a botnet involving thousands of infected Android phones. There are two possibilities here: Phones might be infected through a piece of malware that is accidentally downloaded by the user, or phones might be preloaded with malware during manufacturing. We discuss these issues further in our full report.
The affected Android phones are used to receive, parse, and report the SMS verification codes without their owners’ knowledge and consent. By using infected phones and focusing on account verification codes, SMS PVA service operators can offer low-cost access to thousands of mobile numbers in different countries. This enables cybercriminals to register new accounts in bulk and use them for malicious activities.
This report outlines the crimes and actions that are enabled by such services, as well as the implications of these services with regard to the integrity of SMS account verification. Our full report dives into one specific SMS PVA service and shows exactly how it operates.
How can criminals abuse SMS PVA services?
SMS verification is trusted by countless organizations, from small selling platforms to multinational organizations providing critical services. It is therefore no surprise that cybercriminals and scammers are constantly on the lookout for any way to abuse and take advantage of this trust. Unfortunately, companies offering SMS PVA services provide them with the assets they need for malicious activities.
Based on previous uses of fake accounts, we can infer the criminal activities that malicious actors can use SMS PVA services for. By highlighting these possible misuses, we hope that our research serves as a warning for enterprises that rely on SMS account verification, as well as governing bodies that use it as an authentication system, to fortify their defenses.
- Cybercriminals can make their online identity harder to trace.
- They can use disposable numbers for account registrations without worrying that these accounts and numbers can be linked to them.
- Binding of SMS PVA phone numbers to online financial services provides buy-now-pay-later microfinancing — in turn, these accounts can be used to for illicit purchases or money laundering.
Coordinated inauthentic behavior
- This kind of behavior can be used to distribute and amplify information (often misinformation) in social networks at scale — with both speed and necessary precision.
- Users can manipulate public opinion for marketing brands, services, political views, or government programs.
- Users can even trigger street protests or create troll armies.
Abuse of sign-in bonuses
- Cybercriminals can abuse promotional campaigns to earn actual money or get specific products. For example, Starbucks China offered a free drink whenever someone new signed up at their app.
- In 2018, a criminal group registered over 400,000 accounts by purchasing SMS verification codes and collected the “free drink” coupons, which were then sold online.
- Bolt, a ride-hailing service popular in Eastern Europe, Africa, and Western Asia, incentivized referrals of new users by giving away free ride credits for every new account. Some SMS PVA sellers advertised “unlimited discounted Bolt rides” as a compelling reason to use their services.
Scams and message-based fraud
- SMS PVA allows scammers to register bulk accounts in messaging apps and then use those accounts for social engineering.
- Scams range from job recruitment, parcel delivery, stocks investments, and even romance scams, just to name a few.
- Most of these unsolicited messages are sent through text messaging or popular messaging apps like Line, WhatsApp, and WeChat.
Who are affected by these services?
- Owners of infected smartphones are unwitting and unknowing victims. Their privacy is threatened because these services have access to private data, messages, and applications.
- The mobile numbers of the victims can be used in illegal schemes, and the unwitting users can be implicated as a result of their infected devices.
- Customizable regular expression patterns supplied by the command and control (C&C) means that the SMS interception capability is not limited to verification codes alone. Rather, it can be extended to the collection of OTP tokens or even used as a monitoring tool
Online platforms and services
- SMS verification can now be defeated at scale, which means that it is not completely reliable as a method of user authentication.
- Verified accounts are not a guarantee of authentic behavior — there can be multiple verified accounts that are fraudulent and behave as bots.
- User behavior models that don’t take into account fraudulent activity from verified users are probably inaccurate.
Single sign-on services
- Single sign-on (SSO) allows users to use a single set of authentication credentials to log into a group of services. For example, Google or Apple accounts can be used to log into other platforms. These accounts are verified through an SMS confirmation code, but all other communication is likely made through the platform or app itself.
- Malicious actors can use SMS PVA services for bulk account creation on major platforms since access to the phone and the text message is required only once.
- Using SMS PVA services to create these accounts can also lead to risks of user impersonation and identity theft. For example, government portals and financial services often enforce the one-account-per-person policy simply through SMS confirmation.
The proliferation of online abuse from fake accounts has only become more widespread as the pandemic has forced many people and organizations to broaden their internet presence. Many enterprises have opened online platforms that use SMS verification to authenticate users.
This type of verification has become a widely accepted method of moderating online accounts and keeping fake personalities or bots off online platforms. However, as we see discussed here, SMS PVA services easily take advantage of this system and help malicious actors conduct widespread scams and fraud. We hope that this report highlights the inadequacy and insufficiency of one-time SMS verification as the primary means of account validation.
Moving forward, online platforms should recognize the weaknesses of this verification method and consider other countermeasures. As for users worried about phone security, Trend Micro Mobile Security Solutions can detect and mitigate malicious applications and block traffic to C&C servers. However, smartphone manufacturers should also be vigilant about security by keeping an eye on their product, from firmware creation to assembly and shipping. It will also take concrete action from authentication services and creators of online platforms to improve SMS verification and prevent the system of SMS service fraud from further flourishing.
To read more, download our full report, “SMS PVA: An Underground Service Enabling Threat Actors to Register Bulk Fake Accounts.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases