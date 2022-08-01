By Mehab Qureshi

One of our colleagues recently woke up to hundreds of OTP messages from food delivery platforms like Zomato, Zepto, and Licious, all within a span of a few hours. He had just become a victim of what is called SMS Bombing, where a user’s number is bombarded with a large number of messages or even OTP calls within a short period of time, with a clear intention to harass the user and disrupt the normal working of their device.

Mehul Bhandari, 32, a software developer based in Vapi, has a similar story to narrate. “For several days, I would get hundreds of OTP SMSes, and it would irritate me.” He even tried registering a complaint with the cyber police, but that didn’t stop the spam messages. “Ultimately, I researched and downloaded the app, and blacklisted my number.” SMS Bombing happens using freeware and the apk files are available for download online. Some of the popular SMS bombing apps are SMSBomber, BombItUp, and TXTBlast. According to Sourajeet Majumder, a cyber expert, in most cases, websites exploit vulnerable API points of other firms which are actually used to send OTPs and texts to legitimate users for login, password reset, etc. “The attackers exploit these APIs by making GET/POST requests with their scripts, which in turn automates the sending of messages and helps orchestrate SMS bombing attacks.”

It is very easy to use SMS bomber tools. Users have to just enter the number, and value (how many messages they want to send), hit the submit button and wait until the success alert. “Such apps/websites do not have proper privacy policy or terms of service. Although described as a tool for fun, they have the potential to cause immense harm. Incessant messages can be a nuisance for the person targeted. While the terms of service state that they can be used only on friends and family and that too with consent, there is no way to monitor this,” said Prasanth Sugathan, legal director at SFLC.in.

Bombarding a phone with SMSes even after it activates the DND service is not just a form of harassment and nuisance (IPC Section 268), but “a trap, bait, and a criminal act of theft, cheating and dishonestly inducing delivery of property under IPC Sections 378 & 420,” said Bombay High Court lawyer Satya Mulay. “Under S 43-A of IT Act 2000, the onus is also on telecom operators and corporates to implement security safeguards to protect the personal data of their clients who are at risk of such phishing scams, failing which the corporates are liable to pay damages in the form of compensation to the victims. It also amounts to an invasion of a person’s privacy,” he added.

Majumder advised that a number of websites which provide SMS Bombing facilities also provide options to protect your number. “Once a number is saved on the protection list, one cannot use that particular website to SMS bomb you.”

Meanwhile, users can try out anti-SMS Bombers which are tools that automatically block incoming messages from a particular sender if an OTP or SMS is sent more than three times. “Users can also try reaching out to the security teams of firms from whom they are receiving the messages. This might help the firm to patch the vulnerable API which, in turn, will make it impossible for attackers to use it for SMS Bombing,” he added.

