How Some OTP Systems Can Be Used to Prank Spam

Labs Note

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately it was apparent that this malicious PHP file was different than your average spam tool.

GUI for this spamming tool. *Note – the “No Telp” telephone number field and the “Jumlah SMS” number of SMS field.

This particular malicious file\’s GUI stood out because it would send SMS(text) messages to a user-specified cellular telephone number. This isn\’t a standard operating procedure for most of the spam campaigns that I have encountered over the years, as they try to target as many email addresses, or phone numbers, as possible to increase the attack surface and the probability of a successful delivery.

AA further analysis of the code within the malicious spam tool file revealed further information:

public function Verif()
    {
        $url = "https://www.tokocash.com/oauth/otp";
        $no = $this->no;
        $type = $this->type;
        if ($type == 1) {
            $data = "msisdn={$no}&accept=";
        }elseif ($type == 2) {
            $data = "msisdn={$no}&accept=call";
        }
        $send = $this->sendC($url, null, $data);
        // echo $send;
        if (preg_match('/otp_attempt_left/', $send)) {
                print('OTP berhasil Dikirim!<br>');
            } else {
                print('OTP Gagal Dikirim!<br>');
            }
    }

sendC is a function defined earlier that just constructs a cURL request with special headers

After checking this PHP file’s code, it’s clear that the SMS spam message isn’t actually being sent from the web server hosting the compromised website. Instead, the PHP file’s coding would be executed from the web page previously shown. Then it would submit a specially crafted cURL request (saved as function sendC) to an Indonesian website that had an authentication system utilizing a OTP feature. The request sent to this website’s OTP system would include parameters in the URL that include the victim’s phone number and whether to perform the OTP two-factor authentication via phone call or SMS text message.

Apparently, it turns out that this PHP script is nothing more than a “prank” spam tool that will just continuously send SMS or phone calls to the victim’s phone number until the OTP system starts rejecting the requests. It’s an interesting method of “prank” spam in regards to how the SMS message is sent out. It doesn’t use the malicious user’s server nor the compromised website’s hosting server but rather abuses a legitimate TokoCash/Tokopedia’s authentication service to bombard the phone number. Notice in the screenshot spamming tool, the word bom, which means “bomb” in Indonesian.

I reached out to this Indonesian website to inform them of the prank spam issue with their OTP system so that they can hopefully implement some access control security to harden the OTP from this type of abuse.

You May Also Like