What is SMS Bombing?
Mobile devices send text messages through the Short Message Service (SMS). Although most of us are accustomed to sending one special message at a time, several services are available that can significantly speed up and increase the frequency of your messaging. An SMS bomber is a software that repeatedly copies the same message and transmits it to a specific receiver. You obtain the programme online and utilise the text-messaging capabilities of your phone to send the SMS bombs.
These applications, like social media applications, have much of your data and pose a risk. To understand better, read this blog: Privacy Risks in Social Media: Protecting Personal Information Online.
Online downloads of the APK files are accessible for SMS bombing, which uses freeware. SMSBomber, BombItUp, and TXTBlast are some well-known SMS bombing applications. The websites frequently take advantage of weak API points owned by other companies that deliver OTPs and messages to authorised users for login, password reset, etc. The attackers use their scripts to make GET/POST queries on these APIs, which automates message transmission and aids in planning SMS bombing attacks.
Also Read: Online Pharmacies and Data Privacy.
Why should it matter to you?
Your friend might often bombard you with these messages just for the sake of a prank, but it can be at the risk of breaching his privacy or yours. These applications and websites that help pull such tricks off can sneak into the systems used to pull this prank off, and guess what happens next?
Yep, you guessed it right—a Privacy and Security breach.
While SMS bombing may seem like harmless fun, it can lead to serious privacy and security issues. Under India’s Digital Personal Data Protection Act (DPDPA), any misuse of personal data or unauthorized access to systems, even for pranks, could have legal consequences. By downloading and using these apps, users risk exposing their personal information, including phone numbers, messages, and device data, to malicious actors.
The DPDPA’s General Obligations for Data Fiduciaries require businesses to implement robust safeguards to protect personal data from unauthorized access. Weak APIs exploited for SMS bombing attacks highlight the importance of compliance with such obligations, as these vulnerabilities can lead to data breaches affecting both individuals and organizations.
To read more about Data Fiduciary’s obligations, visit: THE GENERAL OBLIGATIONS OF THE DATA FIDUCIARIES UNDER THE DPDP ACT, 2023
A breach of privacy, as outlined in the DPDPA, can have severe consequences for individuals and organizations. Your phone’s data, including messages, contacts, and other sensitive information, could be at risk.
To reduce these risks:
- Avoid using or endorsing SMS bombing tools.
- Report any suspicious links or excessive message spam.
- Educate others on the privacy implications of such activities.
For more about privacy risks in commonly used platforms, explore this blog by Tsaaro: Privacy Risks in Social Media: Protecting Personal Information Online.
Remember, SMS bombing is more than a harmless prank—it’s a gateway to privacy and security breaches. Be vigilant and prioritize protecting personal data, both yours and others.
Major Privacy Updates of the Week
Uber blames recent security breach on LAPSUS$ hacking group
A cyberattacker gained access to Uber‘s computer network, according to the company, and after obtaining the employee’s login information from the dark web, entered the account of an EXT contractor. Uber said the contractor unintentionally accepted a verification notification that eventually gave the attacker access. Uber has online security measures in place for employee logins. From there, the attacker gained access to a number of worker accounts and applications like G-Suite and Slack. Uber blamed the hacker collective Lapsus$, which in 2022 breached Microsoft, Cisco, Samsung, Nvidia, Okta, and other companies using similar methods.
Morgan Stanley fined $35 million by US authorities for failing to protect customer data
The largest provider of financial services in America, Morgan Stanley, agreed to pay a $35 million fine to the Securities and Exchange Commission (SEC) for data security violations. The corporation would have permitted about 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centres to be resold on auction websites without being initially erased, according to the SEC’s lawsuit. According to the SEC complaint, the unlawful disposal of the devices allegedly began in 2016 and was a part of an “extensive failure” that exposed the data of 15 million users.
Australian telecommunications provider Optus suffers cyber-attack compromises customer’s personal information
One of the biggest #telecommunications service providers in Australia, Optus Telecom, managed to escape a hack that revealed the data of its clients. The birth dates and contact information were accessible to the hackers. Some of the users’ driving license information has been made public. Additionally, a handful of the user’s passports and mailing addresses were stolen. Optus, however, claimed that the information pertaining to payments and passwords had not been altered. Nearly nine million people have been impacted by the cyberattack.
Meta sued for collecting users’ data despite Apple’s privacy features
Meta is facing a new proposed class action lawsuit that accuses it of tracking and collecting the personal data of iPhone users, despite features and policies made by Apple which are meant to stop that same type of tracking, within its Facebook and Instagram apps. Meta has been known to disagree with #ATT. The act of tracking users is a clear violation of Apple’s App Tracking Transparency (ATT) policy, which mandates that apps obtain users’ permission before tracking them across apps and websites run by other businesses.
Crypto trading firm Wintermute loses $160 million in DeFi hack
Leading #cryptocurrency market maker Wintermute has disclosed that hackers were able to take $160 million from the business’s decentralised finance (DeFi) division. The hack adds London-based Wintermute to the long list of businesses affected by cyber security breaches. In total, 90 different assets worth a combined $160 million were taken in the hack.
Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay
WEEKLY PRIVACY NEWSLETTER
Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!
*By clicking on subscribe, I agree to receive communications from Tsaaro
I’m so glad I found this post. Thanks for sharing!
Daily data used
This is really interesting, You’re a very skilled blogger. I’ve joined your feed and look forward to seeking more of your magnificent post. Also, I’ve shared your site in my social networks!