SMS Bombing Operation in Passwordless Database Uncovered by a Security Researcher

Passwordless Database breached
Passwordless Database breached

Bob Diachenko, a Cyber Threat Intelligence Director and a journalist at SecurityDiscovery.com has uncovered a massive SMS Bombing Operation that exposes millions of users’ information.

You might be wondering why is the uncovering of SMS bombing so relevant. Well, let us start first to elaborate what is SMS Bombing, it is basically sending duplicated text messages that can be sent to several cellular phone users at a time. It uses a software program called “SMS Bomber”, this software program is mostly used for SMS marketing products and services by legitimate companies. However, these companies have their customers consent to receive such text messages. In the case of this passwordless database which was uncovered by Bob Diachenko on April 11th, the users’ information might be used by hackers or fraudster for illegal acts such as phishing techniques.

According to Bob Diachenko on the article he published for SecurityDiscovery.com, he discovered an unprotected MongoDB instance named ApexSMS, this database has millions of data relevant to SMS operations, in fact, according to Diachenko, one prominent folder contained an astounding 80, 055, 125 records.

Some information contained in the database were as follows:

  • Hashed email
  • First and Last Name
  • City, State, Country and Zip Codes
  • IP Address
  • Phone Number
  • Carrier Network for Mobile
  • Line Type (Mobile or Landline)

Allegedly the owners of this database may have an official cover as MobileDrip.com, however it is not yet confirmed since they have not receive yet any response from Mobiledrip.com, which according to its website: “Mobile Drip is a cloud based SMS platform that’s optimized for high volume messaging with all the tracking, automation, segmentation, and data management features you need to maximize the profitability of your campaigns.” The also indicated on their website that they will not knowingly engage in spam.

Related:  Saving The Earth With Old Mobile Phones

Legitimate companies mostly use SMS Marketing, thus Mobiledrip.com clearly describe how automated SMS Marketing works:

  • Attach drip campaigns to your lists and list segments to completely automate your sending.
  • Drip campaigns include the same features as broadcasting
  • Rotating Providers, Rotating Messages
  • Auto-replacing Domains
  • Segmenting data by carrier, gender, ethnicity, and location so you can optimize the messages you’re sending based on the leads
  • View stats for each message inside the drip campaigns
  • View drip message queue and history with stats on all messages.

On the other hand, Diachenko said that these information might be used to trick people to click on untrusted links or any phishing techniques which mostly victimized older people. Thus, this issue really raises concern about security and protection of the users’ information, it also affects the legitimate companies who does SMS Marketing to send information to their customers.

With this, let us all be careful to believe in text messages that we received, especially those which came from an unknown number or source. Always make sure to validate first, it is ok to be doubtful sometimes especially when you know that your information security is at stake.

Leave a Comment