What Is SMS Bombing and How Can It Affect Your Security?

SMS Bombing

It would appear that SMS bombing (also known as Text bombing) doesn't seem to have a definition that all experts agree upon. Many of the hits you get on Google will tell you that SMS bombing is the act of using an automated tool to send a large number of text messages to a single person in a short period of time. Apparently, people think that this is a very funny practical joke.

For some, however, SMS bombing is far more than a hilarious prank. Certain experts say that the sending of pre-composed texts to many different phone numbers can also be classified as SMS bombing. As you might have guessed already, having the ability to reach a large number of people with the click of a few buttons can help with a variety of different tasks, including the marketing of a product or a service. In other words, some people make a living out of SMS bombing.

SMS bombing and security

The fact that there is no agreement on what SMS bombing actually is means that it's also difficult to say how it can affect the people who are on the receiving end of it. Normally, when you want to prank someone, you tend not to put their security at risk which means that, for the most part, annoying a friend with a vast number of texts sent very quickly shouldn't be that dangerous. That being said, Google has banned some SMS bombing applications because they have been used for bullying and harassment.

When it comes to sending the same message to a large number of people, we once again have two sides of the coin. There's nothing wrong with using an SMS bombing tool to send promotional materials, notifications, and news as long as the people who receive them have knowingly agreed to it. In this day and age, however, things don't always work that way.

SMS spam is not possible without an automated SMS bombing tool. Sending unsolicited (and/or fraudulent) text messages is nowhere near as prevalent as spamming through email, but it is just as dangerous.

So, in a word, yes, people engaged in SMS bombing can put you in harm's way. They can do it in more ways than one.

When SMS bombing crews mishandle your data

To send text messages to many people, you obviously need many phone numbers. As security researcher Bob Diachenko found out recently, however, in addition to their contact details, the people behind some SMS bombing operations like to gather a bit more information about the recipient of their texts.

As some of you may know, Bob Diachenko spends most of his days scanning the internet for misconfigured databases and servers. In April, he spotted an unprotected MongoDB instance that was accessible from anywhere in the world without a password. It, like many other databases Diachenko finds, turned out to contain a vast amount of personal information.

The biggest folder was named "leads", and it held a smidge over 80 million records. Within each record, he found an email address (MD5 hashed), a first and a last name, a physical address, a phone number and the name of the cellular provider, an IP address, and a line type. The name of the database was ApexSMS which coincides with the name of an SMS bombing tool that is widely advertised on hacking forums and marketplaces for black hats.

Diachenko shared his findings with TechCrunch's Zack Whittaker who examined the contents of the database further and confirmed that the information inside it has been used by an SMS bombing crew with the sole purpose of defrauding individuals. Whittaker saw some of the sent messages and concluded that the spammers were trying to redirect victims to scam websites that promised "free money" but did nothing more than steal personal information.

Names and admin addresses in the database led Whittaker to a few advertising companies who were quick to deny any wrongdoing. He remains skeptical but says that the legality of the whole operation is "for the courts to decide".

It's unknown how whoever created the database got their hands on all that information. What we do know is that shortly after Bob Diachenko found it, it was taken down and is no longer publicly accessible. We also know that this is the latest in a long line of incidents which prove that both legitimate companies and scammers don't do enough to protect people's data.

May 17, 2019

Leave a Reply