By Mehab Qureshi
One of our colleagues recently woke up to hundreds of OTP messages from food delivery platforms like Zomato, Zepto, and Licious, all within a span of a few hours. He had just become a victim of what is called SMS Bombing, where a user’s number is bombarded with a large number of messages or even OTP calls within a short period of time, with a clear intention to harass the user and disrupt the normal working of their device.
Mehul Bhandari, 32, a software developer based in Vapi, has a similar story to narrate. “For several days, I would get hundreds of OTP SMSes, and it would irritate me.” He even tried registering a complaint with the cyber police, but that didn’t stop the spam messages. “Ultimately, I researched and downloaded the app, and blacklisted my number.” SMS Bombing happens using freeware and the apk files are available for download online. Some of the popular SMS bombing apps are SMSBomber, BombItUp, and TXTBlast. According to Sourajeet Majumder, a cyber expert, in most cases, websites exploit vulnerable API points of other firms which are actually used to send OTPs and texts to legitimate users for login, password reset, etc. “The attackers exploit these APIs by making GET/POST requests with their scripts, which in turn automates the sending of messages and helps orchestrate SMS bombing attacks.”
Bombarding a phone with SMSes even after it activates the DND service is not just a form of harassment and nuisance (IPC Section 268), but “a trap, bait, and a criminal act of theft, cheating and dishonestly inducing delivery of property under IPC Sections 378 & 420,” said Bombay High Court lawyer Satya Mulay. “Under S 43-A of IT Act 2000, the onus is also on telecom operators and corporates to implement security safeguards to protect the personal data of their clients who are at risk of such phishing scams, failing which the corporates are liable to pay damages in the form of compensation to the victims. It also amounts to an invasion of a person’s privacy,” he added.
Majumder advised that a number of websites which provide SMS Bombing facilities also provide options to protect your number. “Once a number is saved on the protection list, one cannot use that particular website to SMS bomb you.”
Meanwhile, users can try out anti-SMS Bombers which are tools that automatically block incoming messages from a particular sender if an OTP or SMS is sent more than three times. “Users can also try reaching out to the security teams of firms from whom they are receiving the messages. This might help the firm to patch the vulnerable API which, in turn, will make it impossible for attackers to use it for SMS Bombing,” he added.
— SMS Bombing happens using freeware and the apk files are available for download
— A number of websites which provide SMS Bombing facilities also provide options to protect your number
— You can also use anti-SMS Bombers to block messages