SMS bombing operation uses unprotected MongoDB to hit millions

News by Robert Abel

A researcher has uncovered a massive SMS Bombing Operation in a passwordless database that exposed the sensitive information of millions of users.

Security researcher Bob Diachenko discovered an open and unprotected MongoDB instance containing a massive amount of data including MD5 hashed emails, first and last names, location data, IP address, phone number, mobile network carrier and line type (mobile or landline).

The MongoDB instance was named ApexSMS index and is also the name of a SMS Bombing program with the same name that is highly advertised on hacker or black hat forums.

SMS Bombing is when threat actors use a software program to duplicate the same messages multiple times or rotates different messages and sends the messages to a number of their choice for either a prank, harassment, or marketing products and services.

Diachenko said it appears the alleged owners of the database may have an official cover as mobiledrip(dot)com, however, this is still to be confirmed as they never received confirmation from anybody at MobileDrip.

The company claims its services can allow customers to send more than five million SMS messages per month.

While the site claims that it doesn’t engage is spam, the researchers said the database contained the messages, that were designed to trick people into clicking links by pretending to be a referral from a friend or family member, sent to millions of people.

The script also tracked responses or actions and in one of the SMS messages received by the platform replied, "Nathan is married and didn’t talk to you yesterday because I his wife had this phone. Text this phone I’ll have you charged with harassment."

Diachenko said it is unclear how long the instance was accessible or who else may have accessed the contacts but said it does raise the issue once again that data security can affect legitimate businesses and what many would consider "grey marketing" at best.

In an email to SC Media UK, Tom Davison, director EMEA at Lookout commented:  "The challenge for the end user comes with validating the reputation of the sender and the associated risk in following up. If individuals come across a similar campaign or they are unsure of the sender, then the advice remains the same to never click on any links in texts or share personal details.  In addition, a  mobile endpoint security solution that assesses web and content risk removes this uncertainty and allows for safer interactions."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews