Featured Article

An unsecured SMS spam operation doxxed its owners

The database also stored personal data on more than 80 million people

Comment

Image Credits: Getty Images

A massive SMS spamming operation kicked out tens of millions of text messages, pestering unsuspecting recipients with links to fake sites flogging loans and free money.

The operation was simple but smart. The system processed vast batches of phone numbers and curated custom messages on the fly with links to the fake sites. These fake sites urged spam victims to sign up with their name, email address and phone number and promised “free money… for real.” (It wasn’t.) Sometimes confused victims would message the spam number back. If the system spotted certain keywords, like “report” or “FCC,” their number would be added to a “stop list” so they wouldn’t be bothered again.

It’s almost as if the spammers thought of everything. Except, that is, putting a password on their server.

Security researcher Bob Diachenko found the spam-sending database on an exposed server last month. He shared a portion of the data with TechCrunch. He also wrote up his findings. By coincidence, the server was pulled offline before we could reach out, but we still had time to look at the inner workings of the SMS spam operation.

And we knew exactly whom to contact — because the spam operators’ email addresses were listed as “admins” in the database.

“This incident raises the issue once again that data security can affect legitimate businesses and what many would consider ‘gray marketing’ at best,” said Diachenko.

The database is run by an outfit called ApexSMS. Little is known about Apex — it’s not known if it’s a legitimate company or not. Its website today is simply a login page, but for a time simply said, “nothing to see here.”

What is known is that ApexSMS, the name of the database on the exposed server, spammed millions of cell phone numbers with varying messages, all pushing their victims to dozens of different scam sites.

An example of the kinds of spam SMS messages sent (Image: TechCrunch)

ApexSMS relies on Mobile Drip, a “high-volume SMS” messaging and marketing platform. (A Mobile Drip subdomain points directly to ApexSMS’ login page.) Mobile Drip, which debuted in February, says it allows customers to use its platform to send pre-written messages that autoreplies with the next message and broadcasts messages — where the customer sends a single message in bulk.

The company’s sign-up form suggests the company can allow customers to send more than five million SMS messages each month — if they pay for it.

In all, the exposed database contained 80 million records — so-called leads, which marketers use to pitch products and services — which included people’s names, locations, phone numbers and IP addresses. It also contained cell phone numbers and their carrier network name.

Of the estimated 38 million messages sent through disposable toll-free phone numbers, 2.1 million victims clicked on the link in the message.

The database even kept track of who clicked on which message through Grand Slam Marketing, one of the alleged companies involved in the operations, which was named a “premium parter” on one of the scam sites victims were pointed to.

Other scam sites — like copytm.com — contained hidden code that scraped the name, email address, phone number and IP address and submitted it to ApexSMS’ spam database.

Dozens of other scam sites existed in the database.

Many of the scam domains used in the spam campaign (Image: TechCrunch)

The database also recorded when victims replied. More than 115,000 people responded to spam messages. “Wrong number,” said a few. “Who is this,” said others.

When one spam message said, “this is what we was talking about last night” with a scam link to try to trick the user into tapping, the database recorded the clearly frustrated reply. “Nathan is married and didn’t talk to you yesterday because I his wife had this phone. Text this phone I’ll have you charged with harassment,” the entry read.

One of the scam websites (Image: TechCrunch)

We sent several emails to ApexSMS and the operators found in the database but did not hear back. When reached, a statement from Mobile Drip said:

“Mobile Drip is an SMS platform for businesses that gives a customer the ability to send SMS messages to their opt-in leads and customers, as well as track the results of their marketing campaigns,” said the statement. “Mobile Drip has clients from many different industries and all of them are required to adhere to strict guidelines on message content, as well as TCPA compliance,” referring to federal telemarketing rules.

In follow-up questions, Mobile Drip denied any connection to ApexSMS, and referred to the company’s terms and conditions, which expressly prohibit spam on its platform.

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent our information has been exposed to unauthorized parties. We have currently engaged an outside legal firm to assist with our investigation of this matter and we are also engaging a cyber security firm to perform a security audit,” the company said.

“Our servers have always been password protected, so any information that may have been acquired was done so through illegal means with the goal of harming the reputation and financial success of the business,” said the company. TechCrunch disputes this claim.

Although we know the identities of the spammers, we are choosing not to publish their names. Although we’re confident in saying this is a spam operation, it’s for the courts to decide if it’s unlawful.

Most of the names in the database are associated with either ApexSMS, Mobile Drip, Grand Slam Marketing or a few other smaller advertising and marketing companies. It’s not known who was an active participant in the spam operation.

One of the named “admins” in the database, who we are also not naming, claimed he was a contracted developer but declined to comment to TechCrunch citing a non-disclosure agreement with ApexSMS. The former contractor was identified by his email address and credentials for Cloudflare, which protects sites against cyberattacks and provides site privacy, found in the database.

It’s also not known for how long the database was exposed or if anybody else accessed the database.

Regardless of the motives or the legality of the operation, Diachenko said these spammers were “still using and improperly storing the information or data of millions of people.”

Read more:


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

More TechCrunch

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI to remove ChatGPT’s Scarlett Johansson-like voice

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas