Last Friday started off like any typical day—I was busy with my work in my office when I stumbled upon a suspicious message.
My instincts told me it was spam, but my curiosity got the best of me. I clicked the link, and that’s when the adventure began!
The Bait: A Tempting Offer
The link led me to a flashy website claiming, “Register and Get Up to $15,000 Free Cash Prize Bonus.”
It even auto-filled my mobile number, which immediately raised my suspicions, but I decided to keep going. I clicked "Confirm" and soon received an OTP (One-Time Password).After entering the OTP, I was greeted with a bunch of gift boxes, prompting me to pick one.
When I clicked "Activate Now," I was redirected to a well-known Indian gambling app's installation page. The scam was starting to come together.
Time to Investigate
With my developer hat on, I knew I had to dig deeper. I revisited the website and inspected the code, and here’s where it got interesting the code looked like it was generated by ChatGPT! They hadn’t even removed the comments.
Even more shocking? The OTP was hardcoded as 456398
, which was the exact number I received. They were sending the same OTP to everyone!
Behind the Curtain
Next, I checked where the site was hosted and found it was on AWS. Then, I took a look at the network requests to see how they were triggering the OTP. The request payload looked like this:
{
"number": mobile number,
"sms": "1"
}
Chasing the Money Trail
Curious about how they planned to make money, I researched the gambling app I was redirected to and discovered they had an affiliate program. This means the scammers earn money every time someone installs and plays the game using their referral link. A classic exploitation tactic!
A Bit of Payback
With all this information in hand, I couldn’t just let it go. I noticed they had an endpoint that allowed sending OTP to any phone number, which sparked an idea. I figured I could send random valid phone numbers to their service—maybe even overload their system a bit. which defently going to cause some amount of money for them
So, I opened up ChatGPT (not my code editor!) and asked it to help me write a script that would send requests with randomly generated phone numbers. I capped it at around 5,000 requests to keep things manageable. It felt like just the right amount of payback without going overboard.
Top comments (3)
Your curiosity led to some nice adventures.
Nice write-up
You just gotta admire their inventiveness 😆
Would love to know how your payback went
Thank you for your kind words. As I mentioned in the blog, I just completed a 5K request using random phone numbers and one funny thing is there website are still open for anyone to misuse