DEV Community

Cover image for The Curious Case of the $15,000 Spam: My Unexpected Investigation
Boopathi
Boopathi

Posted on

The Curious Case of the $15,000 Spam: My Unexpected Investigation

Last Friday started off like any typical day—I was busy with my work in my office when I stumbled upon a suspicious message.

SMS

My instincts told me it was spam, but my curiosity got the best of me. I clicked the link, and that’s when the adventure began!

The Bait: A Tempting Offer

The link led me to a flashy website claiming, “Register and Get Up to $15,000 Free Cash Prize Bonus.”

OTP

It even auto-filled my mobile number, which immediately raised my suspicions, but I decided to keep going. I clicked "Confirm" and soon received an OTP (One-Time Password).After entering the OTP, I was greeted with a bunch of gift boxes, prompting me to pick one.

website

When I clicked "Activate Now," I was redirected to a well-known Indian gambling app's installation page. The scam was starting to come together.

Time to Investigate

With my developer hat on, I knew I had to dig deeper. I revisited the website and inspected the code, and here’s where it got interesting the code looked like it was generated by ChatGPT! They hadn’t even removed the comments.

website source code

Even more shocking? The OTP was hardcoded as 456398, which was the exact number I received. They were sending the same OTP to everyone!

Behind the Curtain

Next, I checked where the site was hosted and found it was on AWS. Then, I took a look at the network requests to see how they were triggering the OTP. The request payload looked like this:

 {
    "number": mobile number,
    "sms": "1"
}
Enter fullscreen mode Exit fullscreen mode

Chasing the Money Trail

Curious about how they planned to make money, I researched the gambling app I was redirected to and discovered they had an affiliate program. This means the scammers earn money every time someone installs and plays the game using their referral link. A classic exploitation tactic!

A Bit of Payback

With all this information in hand, I couldn’t just let it go. I noticed they had an endpoint that allowed sending OTP to any phone number, which sparked an idea. I figured I could send random valid phone numbers to their service—maybe even overload their system a bit. which defently going to cause some amount of money for them

So, I opened up ChatGPT (not my code editor!) and asked it to help me write a script that would send requests with randomly generated phone numbers. I capped it at around 5,000 requests to keep things manageable. It felt like just the right amount of payback without going overboard.

Top comments (3)

Collapse
 
jhondoe_cse profile image
Jhon

Your curiosity led to some nice adventures.

Collapse
 
anni profile image
Anietie Brownson

Nice write-up
You just gotta admire their inventiveness 😆
Would love to know how your payback went

Collapse
 
programmerraja profile image
Boopathi

Thank you for your kind words. As I mentioned in the blog, I just completed a 5K request using random phone numbers and one funny thing is there website are still open for anyone to misuse