Malware
SMS PVA Part 2: Underground Service for Cybercriminals
In part two of this blog entry, we further investigate the innings of smspva.net and discuss the impact and implications of such services.
In part one, we extensively discussed SMS PVA and started investigating a particular service called ReceiveCode that our team first found on a Facebook advertisement.
ReceiveCode offers users access to SMS code verification sent to mobile numbers that the company has in their storage. Customers simply need to sign up to their customer-facing portal, smspva.net, to start using their services.
In this article, we’ll discuss how smspva.net and Android SMS interception works hand in hand. We’ll also illustrate an example of how users can use smspva.net to get an SMS verification code without using their own mobile number.
SMS PVA: A further investigation
Many services use additional verification during the registration of new accounts. For example, an IP address may be required to match the geographical location of a phone number before a user can create an account. Similarly, location-specific validation or restriction can be required. For example, certain content can be made only available to specific countries.
To circumvent this, SMS PVA users use third-party IP masking services, such as proxies or virtual private networks (VPNs), to change the IP address that will be recorded when they try to connect to a desired service. Using Trend Micro™ Smart Protection Network™ (SPN) telemetry, we have identified that the users of SMS PVA services extensively use a variety of proxy services and distributed VPN platforms to bypass the IP geolocation verification check.
We observed that the user registration requests, and SMS PVA API requests often come from an exit node of a VPN service or a residential proxy system. This means that the users of SMS PVA services typically use them in combination with some sort of residential proxy or a VPN service that allows them to select the country of the IP exit node to match the telephone number used to register the service.
Smspva.net and Android SMS interception
To demonstrate how SMS PVA and Android SMS interception work together, we’ve created a hypothetical scenario using Carousell—Southeast Asia’s biggest open market.
1. First, you need to sign up for a smspva.net account and top up their balance.
2. Then, choose a “project”. Project is the online service or platform they support and are capable of intercepting SMS verification. For this scenario, the project is Carousell.
3. Proceed to create a Carousell account.
4. For the mobile number field, request a mobile number in smspva.net. The service will supply you with a mobile number that you can use to fill the mobile number field in the account creation process.
5. Carousell will then send a verification SMS to the mobile number with a one-time code. The malware will then intercept the SMS and send it over to smspva.net.
6. You can then get the verification code from smspva.net and supply it in the sign-up form. Optionally, you can be using a residential proxy service to match the geographical location of the used phone number. After this, you’ve passed the verification check and an account is created.
Because of this, the victim's mobile numbers will have an associated account to whatever platform or service registered by the smspva.net user. Through the Smart Protection Network (SPN) telemetry we were able to collect a small sampling set of the phone numbers, which were obtained from the SMS PVA platform by the actual users of this service.
In this sample, we found an Indonesian mobile number with a matching photograph in WhatsApp (presumed to be the real account of the owner), but a Telegram account associated with the same phone number has a name written in Cyrillic. This account is presumed to have been registered using SMS PVA.
These are just some illustrations of the common trend we saw on smspva.net. Either the accounts have different names across different services, or the country of the mobile phone does not match the language used in the account. To us, this shows the victim's mobile numbers were successfully used and registered by operators availing of the smspva.net service..
A “win” for cybercriminals
SMS verification has become the standard method that online services platforms and services used to confirm that one person is only using one account. But because of new services like SMS PVA, cybercriminals can now bypass this method and even capitalize on it.
Here are a few benefits of such service for cybercrime actors:
- Anonymity. With SMS PVA, cybercriminals can make use of disposable numbers for their account registrations without worrying that the accounts and numbers can be traced back to them. Some countries would require identification when purchasing SIM cards and they don’t even have to worry about that with SMS PVA.
- Coordinated inauthentic behavior. Coordinated inauthentic behavior is often used to distribute and amplify information at a big scale, fast, and with the necessary precision. This could be a misinformation campaign, attempts to manipulate public opinion related to particular brands, services, political views, or government programs such as vaccination campaigns.
SMS PVA service is based on thousands of compromised smartphones spread across various countries. With this service, SMS PVA users can register accounts with precision on the country level and can therefore launch campaigns using fake accounts pretending to be from the country they’re targeting. - Abuse of sign-in bonuses. Through SMS PVA services, cybercriminals can simply create multiple accounts to take advantage of sign-up promotions offered by online services and platforms. They can then sell their bonuses to unassuming victims.
- Abuse of app gamification bonuses. Cybercriminals can use SMS PVA services to create accounts and benefit from app gamification bonuses. They can create fake accounts to gain more views which will lead to more bonuses.
- Circumvent regional restrictions. SMS PVA services were also used to circumvent government or country restrictions. For example, users with Chinese phone numbers cannot register on a Binance platform. By using an SMS PVA service, cybercriminals can work around this restriction and sign up for a Binance account.
- Avoid penalties and liabilities. Because of the anonymity SMS PVA services provide, cybercriminals can avoid legal liabilities and penalties when they commit any abuse or violation using their fake accounts.
- Scam and fraud. SMS PVA allows scammers to register bulk accounts in any of the messaging apps and then use those accounts to send their lures and social engineering tricks.
Impacts and implications
The most vulnerable victims of services like smspva.net are the unwitting and unknowing individuals with infected smartphones. They are most likely unaware of the infections, and if they won't register to any of the apps their phone numbers were used for, they won't even know that something is amiss.
In the event a criminal investigation takes place due to any scam or fraudulent activities associated with the account, the owner of the victim's mobile number can become a suspect and the subject of investigation.
SMS PVA services also have a huge impact on online platforms and services that use SMS verification as a security measure. Because SMS PVA services are able to intercept these messages, this security method is now broken.
This also impacts current anti-fraud and inauthentic user behavior models being implemented, such that it now needs to take account not only for actions performed by unverified accounts but verified accounts as well.
Single-sign-on (SSO) schemes that allow users to use a single set of authentication credentials to login into a group of services are also heavily affected by SMS PVA services.
It is now possible to use SMS PVA services for bulk account creation in major platforms since access to the actual phone and the SMS message is required only once.
In the final part of our blog entry, we’ll discuss which countries are most affected by SMS PVA services and which online services and platforms are most used by customers. We’ll also lay out a few recommendations to mitigate the risks of this sophisticated threat.