Increasing phone authentication "spam"

[Daniel Saner]

Hi everyone,

I'm posting the question to this group since I highly suspect that this involves the Firebase SMS Verification service, given that the messages in question seem to use Firebase's fixed message template, verification code format, and sender ID.

Since March 21st this year, I've been receiving an increasing number of phone authentication message "spam" on my private mobile phone. It has reached a point where sometimes I get several of these messages a day. They show a wild mixture of languages and application names. So far I have received verification messages in, among other languages, German, English, Russian, Czech, Polish, Icelandic, French, Turkish, Japanese, and Thai.

My first question is: is this a known phenomenon or am I, for some reason or other, the only person affected by this? A web search has not revealed this being discussed anywhere else so far. I thought that maybe there is some app template that happens to use my number as a placeholder by coincidence, and some developers forget to change it. Speaking against that is that I don't think I've ever seen the same application name twice so far, and in that case I would expect repeated messages. Also, I'm not sure why anyone would use a Swiss number without any easy-to-remember sequence of numbers for that. I also looked into the possibility that my number might have leaked somewhere, but I couldn't find anything, the number doesn't even give any results in a Google web search.

My second question is: what could be going on here? My first thought was obviously that this is part of some scam. But I would be very confused about how that scam is supposed to work. I've heard about two ways of using phone verification messages abusively: in one, the verification messages are fake and contain an URL that they try to trick people into opening. Mine don't, they really stick to the standard Firebase phone authentication template, containing only an application name and a six-digit number. There's nothing to "fall for" or get tricked into. The other kind of scam I've read about is one which involves some social engineering by getting victims to forward those codes to someone else. But I never received anything like that, I just get random 6-digit verification codes, nothing else, without any context, with seemingly no pattern, several times a day.

Does anyone have any insights or ideas?

[Sam Stern]

Hi Daniel,

Sorry to hear about this! We have definitely had some reports of people using Firebase Phone Auth for spammy purposes (almost anything with a free trial has this problem) but I have not heard of any specific end-users like you receiving so many of these messages. The best thing you can do is write in to Firebase support (https://firebase.google.com/support) and provide the full messages/links you received. This will help us shut down the spammy apps (if that's appropriate) and maybe investigate a connection between them.

Thanks,

Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a9b27f26-87f5-49ab-a4a8-3e2d453cbdfdn%40googlegroups.com.

[Dominik]

Hi Daniel

I noticed the same behavior and came to the same hypothesis. In my case, the messages started arriving March 11 at the latest. Multiple languages, seemingly coming from multiple apps, app names and message language and scripts not corresponding, e.g., German message text with Russian Cyrilic app name. In fact Firebase Support sent me the link to your post after me having described the issue to them. They escalated to their engineering team.

[Dominik]

P.S. My number is a Swiss number, too.

[Stefan Ganz]

Some of our users are experiencing the same. They received spam SMS from the Firebase Auth phone number. All of them have Swiss phone numbers. The SMS contained Russian and Hungarian so far. I've reported it to Firebase Support but haven't heard back from them yet.

Are there any news on this issue? Is there something we can do to prevent it?

[Daniel Saner]

Hello everyone

Interestingly, the messages have stopped arriving for me immediately after having posted here. I have posted here on May 4, after having received multiple messages again on May 3, but those were the last ones I have received so far. It's been more than a month which is by far the longest I've gone without receiving any. Maybe the reports have helped to stop the abuse, although I'd still be curious to hear what might have been the intention behind it.

[Dominik]

My last (Russian, for "Rooter: Game Streaming, Daily Giveaways & Esports.") SMS from Phone Code arrived on May 5. No messages since then.

Today, June 28, I was sent a verification code for Globfone SMS Messenger from CloudOTP.

I do not use and never did use Globfone SMS Messenger. My cell phone number is not publicly available and is not listed among leaked numbers in have i been pwned.

Is CloudOTP/Globfone SMS Messenger using Firebase?