SMS PVA Part 2: Underground Service for Cybercriminals

In this sample, we can see an Indonesian mobile number with an “ethnically” matching photograph in Whatsapp (presumed real account of the owner), but with a Russian name in Telegram (account presumed to have been registered using SMS PVA).

These are just some illustrations of the common trend we saw on smspva.net. Either the accounts have different names across different services, or the country of the mobile phone does not match the language used in the account. To us, this shows the victim’s mobile numbers were successfully used and registered by operators availing of the smspva.net service..

A “win” for cybercriminals

SMS verification has become the standard method that online services platforms and services used to confirm that one person is only using one account. But because of new services like SMS PVA, cybercriminals can now bypass this method and even capitalize on it.

Here are a few benefits of such service for cybercrime actors:

• Anonymity. With SMS PVA, cybercriminals can make use of disposable numbers for their account registrations without worrying that the accounts and numbers can be traced back to them. Some countries would require identification when purchasing SIM cards and they don’t even have to worry about that with SMS PVA.
• Coordinated inauthentic behavior. Coordinated inauthentic behavior is often used to distribute and amplify information at a big scale, fast, and with the necessary precision. This could be a misinformation campaign, attempts to manipulate public opinion related to particular brands, services, political views, or government programs such as vaccination campaigns.
  SMS PVA service is based on thousands of compromised smartphones spread across various countries. With this service, SMS PVA users can register accounts with precision on the country level and can therefore launch campaigns using fake accounts pretending to be from the country they’re targeting.
• Abuse of sign-in bonuses. Through SMS PVA services, cybercriminals can simply create multiple accounts to take advantage of sign-up promotions offered by online services and platforms. They can then sell their bonuses to unassuming victims.
• Abuse of app gamification bonuses. Cybercriminals can use SMS PVA services to create accounts and benefit from app gamification bonuses. They can create fake accounts to gain more views which will lead to more bonuses.
• Circumvent regional restrictions. SMS PVA services were also used to circumvent government or country restrictions. For example, users with Chinese phone numbers cannot register on a Binance platform. By using an SMS PVA service, cybercriminals can work around this restriction and sign up for a Binance account.
• Avoid penalties and liabilities. Because of the anonymity SMS PVA services provide, cybercriminals can avoid legal liabilities and penalties when they commit any abuse or violation using their fake accounts.
• Scam and fraud. SMS PVA allows scammers to register bulk accounts in any of the messaging apps and then use those accounts to send their lures and social engineering tricks.

Impacts and implications

The most vulnerable victims of services like smspva.net are the unwitting and unknowing individuals with infected smartphones. They are most likely unaware of the infections, and if they won’t register to any of the apps their phone numbers were used for, they won’t even know that something is amiss.

In the event a criminal investigation takes place due to any scam or fraudulent activities associated with the account, the owner of the victim’s mobile number can become a suspect and the subject of investigation.

SMS PVA services also have a huge impact on online platforms and services that use SMS verification as a security measure. Because SMS PVA services are able to intercept these messages, this security method is now broken.

This also impacts current anti-fraud and inauthentic user behavior models being implemented, such that it now needs to take account not only for actions performed by unverified accounts but verified accounts as well.

Single-sign-on (SSO) schemes that allow users to use a single set of authentication credentials to login into a group of services are also heavily affected by SMS PVA services.

It is now possible to use SMS PVA services for bulk account creation in major platforms since access to the actual phone and the SMS message is required only once.

In the final part of our blog entry, we’ll discuss which countries are most affected by SMS PVA services and which online services and platforms are most used by customers. We’ll also lay out a few recommendations to mitigate the risks of this sophisticated threat.

Read More HERE