Rogue Scripts Are Exploiting OTP Verification APIs To Send Heaps of OTP SMSes, Hold The Potential Of Triggering Service Disruptions.

Discover how CloudSEK's AI-powered XVigil platform identified concerning GitHub repositories mentioning Indian companies and their APIs.
Updated on
November 6, 2023
Published on
August 28, 2023
Subscribe to the latest industry news, threats and resources.

Executive Summary


  • Threat actors are developing automated softwares which abuse OTP generating endpoints to send heaps of otp messages.
  • These softwares abuse the publicly available OTP APIs and hold the power to cause targeted outages of telecommunication services.
  • Incase of an account takeover scenario a threat actor could spam such sms which may lead to “MFA fatigue” or “exhaustion” attacks.


  • This abuse can lead up to higher than expected costs of maintaining the OTP based API.
  • Potential clients could develop a negative sentiment against the company.
  • Operations could be negatively affected due to inaccessibility of telecommunication services.


  • Implement captcha based service to limit the bot based usage.
  • Implement rate limiting at the endpoint.
  • Monitor github repositories for mentions of your API in source code of such tools.
Note: This would cause disruption of services on the mobile device essentially creating a scenario that the device is under a DOS attack. Further in a scenario while the attack is going on, if the user tries to clear the notifications manually they might accidently click on a MFA prompt thus granting access to the attacker. This attack could also be used as a veil to hide illegitimate login attempts made by the threat actors to gain access to the users device. This also implies that while the attack is going on the user may miss out on critical notifications. 

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil  discovered multiple github repositories with mentions of Indian companies and their APIs. 
  • These APIs allow anyone to send unlimited OTP SMSes to any number without any rate limiting or CAPTCHA protection, which leads to abuse of these APIs by automated tools.
  • This results in increased API cost and legal repercussions for the brand along with decline in brand’s public image.


CloudSEK’s Xvigil can find instances of mentions of APIs and other keywords from github.

The affected companies and their exposed APIs (region wise) - 

Number of Exposed APIs according to the country

Number of Exposed APIs according to the country







Note - These graphs are based on APIs found and collated from the source code of multiple sms bombing tools, some of which are archived now. Cloudsek researchers refrained from testing these APIs for their current vulnerability status.

Attack chain 

Collecting Target Phone Numbers: The user of the SMS bomber provides the target phone number or a list of phone numbers to which they want to send the messages. This information can be input manually or imported from a file.

This depends on the motivation of the threat actor, for a prank, only the friend’s number would be used, but for a dedicated attack the phone numbers of representatives of the sales department could be collected from the “lead sellers” from dark web forums or even from linkedin or scribd.

Phone numbers of an organization have been uploaded on scribd which is a document sharing platform

These numbers are then passed into the software which makes continued multiple requests at the target APIs and the attack starts.

Attack chain (Contd)

Continuous Operation: The tool will continue sending messages until a preset limit is reached or until the user decides to stop the operation manually. This can result in a flood of messages and/or calls being sent to the target phone number.

Impact on the Target: The constant influx of messages and calls can overwhelm the target's device, potentially causing it to slow down, freeze, or even crash. Additionally, the target may be constantly alerted with notifications, making it difficult to use the device for other tasks. 

As in the case of Uber hack, this could also lead to “MFA fatigue” or “exhaustion” attacks

Finally, the inbox of the receiver could get filled which blocks him from receiving new and potentially important messages.

In our example, the sales operation of the targeted company could shut down entirely because of the constant bombardment of sms and calls.


Legal repercussions - Bombarding a phone with SMSes even after it activates the DND service is not just a form of harassment and nuisance (IPC Section 268), but “a trap, bait, and a criminal act of theft, cheating and dishonestly inducing delivery of property under IPC Sections 378 & 420,” said Bombay High Court lawyer Satya Mulay. ( reference )

Accessibility and finances of such services - 

  • Multiple such tools are hosted online which allow anyone to launch such campaigns very easily without any installation. 
  • Additionally all these tools are free because the major chunk of cost is taken up by the sms sending APIs which are owned by the brands. 
  • One such OTP sms could cost up to 20 paisa for a brand.
  • These tools run on the revenue generated by serving ads on their platform. 

A simple “sms bomber” search query on google gives you these results. 


For Brands

For Users

  • Rate Limiting and Throttling: Implement rate limiting and throttling mechanisms for API requests. This prevents a single user or IP address from sending a large volume of requests in a short amount of time. This can help deter automated attacks by slowing down the rate of requests.
  • User Authentication and Authorization: Require users to authenticate and authorize their usage of the API. This can involve using API keys, OAuth tokens, or other forms of authentication to ensure that only authorized users can access the API.
  • CAPTCHA and Human Verification: Implement CAPTCHA challenges or other forms of human verification for actions that involve sending messages. This helps prevent automated bots from abusing your services.
  • Abuse Detection and Blocking: Implement algorithms that can detect patterns of abuse, such as a sudden surge in requests from a single source. Automatically flag or block suspicious activity and notify administrators.
  • Monitoring and Analytics: Implement monitoring and analytics tools to track API usage patterns. This can help you identify unusual behavior and take action against potential attacks in real-time.
  • Use CloudSEK’s Xvigil tool to find if threat actors are abusing your APIs with its github repository scanning feature.
  • Ask the tools owners (links later in the report) to put your phone number in the protected list.
  • Ask your telecom provider to activate Do Not Disturb on your phone number.



Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations