Last Friday started off like any typical day—I was busy with my work in my office when I stumbled upon a suspicious message. My instincts told me it was spam, but my curiosity got the best of me. I clicked the link, and that’s when the adventure began!
The Bait: A Tempting Offer
The link led me to a flashy website claiming, “Register and Get Up to $15,000 Free Cash Prize Bonus.” It even auto-filled my mobile number, which immediately raised my suspicions, but I decided to keep going. I clicked “Confirm” and soon received an OTP (One-Time Password).
After entering the OTP, I was greeted with a bunch of gift boxes, prompting me to pick one. When I clicked “Activate Now,” I was redirected to a well-known Indian gambling app’s installation page. The scam was starting to come together.
Time to Investigate
With my developer hat on, I knew I had to dig deeper. I revisited the website and inspected the code, and here’s where it got interesting: the code looked like it was generated by ChatGPT! They hadn’t even removed the comments. Even more shocking? The OTP was hardcoded as 456398, which was the exact number I received. They were sending the same OTP to everyone!
Behind the Curtain
Next, I checked where the site was hosted and found it was on AWS. Then, I took a look at the network requests to see how they were triggering the OTP. The request payload looked like this:
{
"number": mobile number,
"sms": "1"
}
Chasing the Money Trail
Curious about how they planned to make money, I researched the gambling app I was redirected to and discovered they had an affiliate program. This means the scammers earn money every time someone installs and plays the game using their referral link. A classic exploitation tactic!
A Bit of Payback
With all this information in hand, I couldn’t just let it go. I noticed they had an endpoint that allowed sending OTP to any phone number, which sparked an idea. I figured I could send random valid phone numbers to their service—maybe even overload their system a bit. which defently going to cause some amount of money for them
So, I opened up ChatGPT (not my code editor!) and asked it to help me write a script that would send requests with randomly generated phone numbers. I capped it at around 5,000 requests to keep things manageable. It felt like just the right amount of payback without going overboard.
It was fine firday where i fixing our user issue and i got a below message
which trigger my attention and i know it will defentiely a spam message but my curosity tell me let see how they try to spam us so i clicked the link and it take be the below website where it asking Register and get upto 15K free cash prize bouns and where they passed by mobile number and auto fill and then i clicked click confirm and i recevied the OTP
I entered the OTP and where they have lot of gift box and where i need to press any one after press i get the below message
when i clicked the activate now i get redirect to playstore webapp page and it the page famous indian gammling game app installation page
So now i have clarity of what they doing so now it time bring my developer brain to invsitigate how they doing this and why they doing this so get ready for invistigation
i revisted the website again and inspecte the code and find this funny thing
You may guessed the code was genrated by chatGPT :joy and who doing this scam who even not removed the comments and if you noticed they have hardcoded value of OTP as 456398 and that same number i recieved so they sending same OTP to everyone
Next i checked the hosting details and i find out that it was hosted on AWS, Next i inspected the network tab to check the endpoint that calling to trigger the OTP where they sending the number and sms count 1 as form data like below
{
"number": mobile number,
"sms": "1"
}
Next i started invistgate of how they will going get money. i did some research about the famous gabbling app where it redirected me and i find out they providing the affliate program where they give some amount of money if the user have installed and played the game by using the referal link
Ok the invistigation is over now it time to take revenge if you noticied one thing they have endpoint where we can send any phone number where they defentlye using some service to send SMS so i do DDOS with random valid phone numbers defenlty there bill going to raise and defently it teach them a good leason. so i opened the chatgpt (not code editor) and asked to write a script that will post request with random genreated phone numbers and start hitting the website
basically i dont want to do more damage to them so i stop among 5k request may be less but i feel like to stop