Last Friday started off like any typical day—I was busy with my work in my office when I stumbled upon a suspicious message. My instincts told me it was spam, but my curiosity got the best of me. I clicked the link, and that’s when the adventure began!
The Bait: A Tempting Offer
The link led me to a flashy website claiming, “Register and Get Up to $15,000 Free Cash Prize Bonus.” It even auto-filled my mobile number, which immediately raised my suspicions, but I decided to keep going. I clicked “Confirm” and soon received an OTP (One-Time Password).
After entering the OTP, I was greeted with a bunch of gift boxes, prompting me to pick one. When I clicked “Activate Now,” I was redirected to a well-known Indian gambling app’s installation page. The scam was starting to come together.
Time to Investigate
With my developer hat on, I knew I had to dig deeper. I revisited the website and inspected the code, and here’s where it got interesting: the code looked like it was generated by ChatGPT! They hadn’t even removed the comments. Even more shocking? The OTP was hardcoded as 456398, which was the exact number I received. They were sending the same OTP to everyone!
Behind the Curtain
Next, I checked where the site was hosted and found it was on AWS. Then, I took a look at the network requests to see how they were triggering the OTP. The request payload looked like this:
{
"number": mobile number,
"sms": "1"
}
Chasing the Money Trail
Curious about how they planned to make money, I researched the gambling app I was redirected to and discovered they had an affiliate program. This means the scammers earn money every time someone installs and plays the game using their referral link. A classic exploitation tactic!
A Bit of Payback
With all this information in hand, I couldn’t just let it go. I noticed they had an endpoint that allowed sending OTP to any phone number, which sparked an idea. I figured I could send random valid phone numbers to their service—maybe even overload their system a bit. which defently going to cause some amount of money for them
So, I opened up ChatGPT (not my code editor!) and asked it to help me write a script that would send requests with randomly generated phone numbers. I capped it at around 5,000 requests to keep things manageable. It felt like just the right amount of payback without going overboard.