Gain practical insights on balancing security, user experience, and operational efficiency while staying ahead of increasingly sophisticated threats.
The post Webinar Today: Identity Under Attack – Strengthen Your Identity Defenses appeared first on SecurityWeek.
SecurityWeek – Read More
Think your phone is acting strange? It may be infected with spyware. Here are the warning signs and and how you can stop it.
Latest news – Read More
For years, many government contractors treated cybersecurity compliance as a technical checklist, important, certainly, but often siloed within IT departments. That mindset is no longer tenable. The U.S. Department of Justice (DOJ) has announced that cybersecurity representations to the federal government are now squarely within the enforcement core of the False Claims Act (FCA). What began in October 2021 as the Civil Cyber-Fraud Initiative has matured into a sustained and expanding enforcement priority.
The numbers alone signal that this is not a passing trend. In January 2026, the DOJ announced that it recovered $52 million through nine cybersecurity-related FCA settlements in the fiscal year ending September 2025. Those recoveries formed part of a record-setting $6.8 billion in total False Claims Act recoveries that year.
Even more striking, DOJ reported that cybersecurity fraud resolutions have more than tripled in each of the past two years, evidence of what Deputy Assistant Attorney General Brenna Jenny described as a “significant upward trajectory.”
When the DOJ launched the Civil Cyber-Fraud Initiative in October 2021, it stated that it would use the FCA, complete with treble damages and statutory penalties, to pursue entities that knowingly submit false claims tied to cybersecurity obligations. The misconduct categories were specific and practical:
At the time, some viewed the initiative as an experiment. That view is no longer credible. Since October 2021, the DOJ has settled fifteen civil cyber-fraud cases under the FCA. More than half of those settlements were announced during the current administration, surpassing the total from the earlier years following the initiative’s launch. Civil cyber-fraud enforcement is now part of the DOJ’s routine FCA portfolio, not an edge case.
In remarks delivered on January 28, 2026, at the American Conference Institute’s Advanced Forum on False Claims and Qui Tam Enforcement, Jenny reaffirmed the administration’s commitment to this path. As the political official overseeing nationwide False Claims Act enforcement, she emphasized both the scale of recent recoveries and the continuing focus on cybersecurity.
One of the most important clarifications in Jenny’s remarks addressed a persistent misconception: FCA cybersecurity cases are “not about data breaches,” but are instead “premised on misrepresentations.” That distinction matters.
Breaches occur even in well-managed environments. The DOJ has signaled that it is not interested in punishing companies simply because they were victims of sophisticated attacks. Instead, the FCA becomes relevant when an organization tells the government it complies with cybersecurity requirements and, in reality, does not.
Under the False Claims Act, liability turns on knowingly false or misleading claims for payment. In the cybersecurity context, this can include explicit certifications of compliance or even implied representations embedded in invoices and contract submissions. If a contractor seeks payment while failing to meet required cybersecurity standards, the DOJ may argue that the claim itself carries an implied assertion of compliance.
That theory has teeth, particularly when paired with the FCA’s treble damages framework.
The majority of DOJ’s cybersecurity-related FCA settlements, nine out of fifteen, have involved U.S. Department of Defense (DoD) cybersecurity requirements. The DoD recently finalized the Cybersecurity Maturity Model Certification (CMMC), introducing structured and, for many contractors, third-party verification requirements. These developments create more objective benchmarks against which representations can be tested.
Civilian agencies are moving in the same direction. In January 2026, the General Services Administration issued a procedural guide governing the protection of Controlled Unclassified Information (CUI) on nonfederal contractor systems. Like the CMMC framework, it contemplates extensive third-party assessments. Across the executive branch, scrutiny of contractor cybersecurity programs is intensifying.
As federal dollars increasingly flow with cybersecurity conditions attached, across defense contractors, IT service providers, healthcare benefit administrators, research universities, and even entities adjacent to prime contractors, the FCA provides the DOJ with a powerful lever to enforce those conditions.
No discussion of the False Claims Act is complete without acknowledging the central role of whistleblowers. Qui tam provisions allow private individuals to bring FCA claims on behalf of the government and potentially receive up to thirty percent of any recovery. Defendants are also responsible for the whistleblower’s attorneys’ fees.
Jenny noted that whistleblowers have continued to play a large role in cyber-fraud cases. That should not surprise anyone familiar with FCA enforcement. Cybersecurity compliance failures often surface internally before they become public. When employees believe their concerns are ignored, or worse, concealed, the FCA offers a direct channel to the DOJ.
Organizations that treat internal cybersecurity complaints as routine HR matters underestimate the risk. A credible internal reporting system, thorough investigation processes, and transparent remediation efforts are not just governance best practices; they are FCA risk mitigation tools.
In some circumstances, companies may need to evaluate disclosure obligations to the government, whether mandatory or voluntary. DOJ policies have increasingly emphasized cooperation credit in the cybersecurity arena, making early, good-faith engagement a strategic consideration.
The DOJ’s approach refrains from considering cybersecurity as more than a technical discipline. It is a representation issue, a contract performance issue, and ultimately an FCA issue. That reality demands cross-functional alignment.
Organizations doing business with the federal government should ensure:
These elements are not aspirational. They form the evidentiary record that may determine whether a dispute becomes an expensive False Claims Act investigation.
The DOJ’s $6.8 billion in fiscal year 2025 False Claims Act recoveries, including $52 million from cybersecurity settlements, mark a new shift. Cybersecurity is now central to DOJ FCA enforcement, not a secondary issue.
For contractors and grant recipients, accuracy in cybersecurity representations is critical. Under the False Claims Act, what an organization tells the government about its security posture must align with reality. Gaps between certification and practice can quickly escalate into costly investigations.
Strengthening visibility across attack surfaces, monitoring emerging threats, and validating controls are essential steps in reducing FCA risk. Platforms like Cyble, recognized in Gartner Peer Insights for Threat Intelligence, help organizations maintain continuous intelligence, detect exposures early, and support defensible cybersecurity governance.
Book a free demo with Cyble to see how AI-powered threat intelligence can help your organization stay ahead of risk and confidently support its cybersecurity commitments.
The post The US False Claims Act Becomes a Cybersecurity Enforcement Engine appeared first on Cyble.
Cyble – Read More
After a decade and a half of service, the current certificates will expire, and new ones will be rolled out.
The post Microsoft to Refresh Windows Secure Boot Certificates in June 2026 appeared first on SecurityWeek.
SecurityWeek – Read More
New York, NY, 11th February 2026, CyberNewswire
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
RESEARCH DISCLAIMER:
This analysis examines the most recent and actively maintained repositories of OTP & SMS bombing tools to understand current attack capabilities and targeting patterns. All statistics represent observed patterns within our research sample and should be interpreted as indicative trends rather than definitive totals of the entire OTP bombing ecosystem. The threat landscape is continuously evolving with new tools and repositories emerging regularly.
Cyble Research and Intelligence Labs (CRIL) identified sustained development activity surrounding SMS, OTP, and voice-bombing campaigns, with evidence of technical evolution observed through late 2025 and continuing into 2026. Analysis of multiple development artifacts reveals progressive expansion in regional targeting, automation sophistication, and attack vector diversity.
Recent activity observed through September and October 2025, combined with new application releases in January 2026, indicates ongoing campaign persistence. The campaigns demonstrate technical maturation from basic terminal implementations to cross-platform desktop applications with automated distribution mechanisms and advanced evasion capabilities.
CRIL’s investigation identified coordinated abuse of authentication endpoints across the telecommunications, financial services, e-commerce, ride-hailing, and government sectors, collectively targeting infrastructure in West Asia, South Asia, and Eastern Europe.
What began in the early 2020s as isolated pranks among tech-savvy individuals has evolved into a sophisticated ecosystem of automated harassment tools. SMS bombing – the practice of overwhelming a phone number with a barrage of automated text messages – initially emerged as rudimentary Python scripts shared on coding forums.
These early implementations were crude, targeting only a handful of regional service providers and using manually collected API endpoints. Given the dramatic transformation of the digital threat landscape in recent years, driven by the proliferation of public code repositories, the commoditization of attack tools, and the increasing sophistication of threat actors.
Our investigation into this evolving threat began with routine monitoring of malicious code repositories and underground discussion forums. What we discovered was far more extensive: a well-organised, rapidly expanding ecosystem characterized by cross-platform tool development, international collaboration among threat actors, and an alarming trend toward commercialization.
Malicious actors have weaponised GitHub as a distribution platform for SMS and OTP-bombing tools, creating hundreds of malicious repositories since 2022. Our investigation analyzed around 20 of the most active and recently maintained repositories to characterize current attack capabilities.
Across these repositories, there are ~843 vulnerable, catalogued API endpoints from legitimate organizations: e-commerce platforms, financial institutions, government services, and telecommunications providers.
Each endpoint lacks adequate rate limiting or CAPTCHA protection, enabling automated exploitation. Target lists span seven geographic regions, with concentrated focus on India, Iran, Turkey, Ukraine, and Eastern Europe.
Repository maintainers provide tools in seven programming languages and frameworks, from simple Python scripts to cross-platform GUI applications. This diversity enables attackers with minimal technical knowledge to execute harassment campaigns without understanding the underlying exploitation mechanics.
Our analysis of active SMS bombing repositories gives us an insight into the true scale and sophistication of this threat landscape:
Iran-focused endpoints dominate the observed sample at 61.68% (~520 endpoints), followed by India at 16.96% (~143 endpoints). This concentration suggests coordinated development efforts targeting specific telecommunications infrastructure.
Accessibility and Threat Escalation
In parallel with the open-source repository ecosystem, a thriving commercial sector of web-based SMS-bombing services exists.
These platforms represent a significant escalation in threat accessibility, removing all technical barriers to conducting attacks. Unlike repository-based tools that require users to download code, configure environments, and execute commands, these web services offer point-and-click interfaces accessible from any browser or mobile device.
Deceptive Marketing Practices
Our analysis identified numerous active web services operating openly via search-engine-indexed domains. These services employ sophisticated marketing strategies, positioning themselves as ‘prank tools’ or ‘SMS testing services’ while providing the exact functionality required for harassment campaigns.
Data Harvesting and Resale Operations
Although these websites present themselves as benign prank tools, they operate a predatory data-collection model in which users’ phone numbers are systematically harvested for secondary exploitation. These collected contact numbers are subsequently used for spam campaigns and scam operations, or monetized through resale as lead lists to third-party spammers and scammers. This creates a dual-threat model: users inadvertently expose both their targets and themselves to ongoing spam victimization, while platform operators profit from both service fees and the commodification of harvested contact data.
SMS bombing attacks follow a predictable workflow that exploits weaknesses in API design and implementation.
Attackers identify vulnerable OTP endpoints through multiple techniques:
Industry Sector Targeting Patterns
Our analysis reveals systematic targeting across multiple industry verticals, with telecommunications and authentication services comprising nearly half of all observed endpoints.
Modern SMS bombing tools require minimal setup:
Attacker Technology Stack Evolution
A detailed analysis of the ~20 repositories reveals significant technical sophistication and platform diversification:
Once configured, the tool initiates a flood of legitimate-looking API requests.
Attack Vector Prevalence Analysis
Our analysis reveals the distribution of attack methods across the ~843 observed endpoints:
Analysis of the ~20 repositories reveals widespread adoption of anti-detection measures designed to bypass common security controls.
For end users targeted by SMS bombing attacks, the consequences include:
| Impact Type | Description |
| Device Overload | Hundreds or thousands of incoming messages degrade device performance. |
| Communication Disruption | Legitimate messages are buried under spam, potentially leading to missed important notifications. |
| Inbox Capacity | SMS storage limits reached, preventing the receipt of new messages. |
| Battery Drain | Constant notifications deplete the affected device’s battery. |
| MFA Fatigue | Overwhelming authentication requests create security blind spots. |
| Data Harvesting | Prank sites for SMS bombing likely sell or reuse data for fraud or scams. |
Businesses whose APIs are exploited face multiple challenges:
| Impact Category | Impact Type | Details |
| Financial Impact | Cost per OTP SMS | $0.05 to $0.20 per message |
| Attack cost (10,000 messages) | $500 to $2,000 per attack | |
| Unprotected endpoints | Monthly bills can escalate to significant high amounts. | |
| Operational Impact | User access issues | Legitimate users are unable to receive verification codes |
| Customer service | Overwhelmed with complaints | |
| SMS delivery | Delays affecting all customers | |
| Regulatory compliance | Potential violations if users cannot access accounts | |
| Reputational Impact | Media coverage | Negative social media coverage |
| Customer trust | Erosion of customer confidence | |
| Brand damage | Association with spam and poor security | |
| Competitive position | Potential loss of business to competitors |
Based on analysis of successful bypass techniques across ~20 repositories, the following mitigation strategies are prioritized by effectiveness against observed attack patterns. Implementation of these controls addresses the primary exploitation vectors identified in our research.
CRITICAL Priority
| 1. Implement Comprehensive Rate Limiting | |
| Rationale | 67% of targeted endpoints lack basic rate controls |
| Implementation | Per-IP Limiting: Maximum 5 OTP requests per hour. Per-Phone Limiting: Maximum 3 OTP requests per 15 minutes. Per-Session Limiting: Maximum 10 total verification attempts |
| Evidence | Would have blocked 81% of observed attack patterns |
| 2. Deploy Dynamic CAPTCHA | |
| Rationale | 33% of tools exploit hardcoded reCAPTCHA tokens |
| Implementation | Use reCAPTCHA v3 with dynamic scoring. Rotate site keys regularly. Implement challenge escalation for suspicious behaviour |
| Evidence | Static CAPTCHA is defeated in most of the repositories |
| 3. SSL/TLS Verification Enforcement | |
| Rationale | 75% of tools disable certificate validation to bypass security controls |
| Implementation | Enable HSTS (HTTP Strict Transport Security) headers, implement certificate pinning for mobile applications. Monitor and alert on certificate validation errors |
| Evidence | The most common evasion technique observed across repositories |
HIGH Priority
| Control | Rationale | Implementation Guidance |
| 4. User-Agent Validation | 58.3% of tools randomize User-Agent headers to evade detection | Maintain a whitelist of legitimate clients. Cross-validate User-Agent with other headers Flag mismatched browser/OS combinations |
| 5. Request Pattern Analysis | Automated tools exhibit consistent timing patterns, unlike human behavior | Maintain a whitelist of legitimate clients. Cross-validate User-Agent with other headers. Flag mismatched browser/OS combinations |
| 6. Phone Number Validation | Prevents abuse of number generation algorithms and invalid targets | Monitor for sub-100-ms request interval. Detect sequential API endpoint testing. Flag multiple failed CAPTCHA attempts |
| Mitigation Area | Recommended Actions |
| SMS Cost Monitoring | Set spending alerts at $100, $500, and $1,000 thresholds. Review daily SMS volumes for anomalies. Identify and investigate anomalous spikes immediately |
| Multi-Factor Authentication Hardening | Mandate rate-limiting requirements in service-level agreements Require CAPTCHA implementation on all OTP endpoints Request monthly security and abuse reports. Include SMS abuse liability clauses in contracts |
| Vendor Security Requirements | Mandate rate-limiting requirements in service-level agreements. Require CAPTCHA implementation on all OTP endpoints. Request monthly security and abuse reports. Include SMS abuse liability clauses in contracts |
| Protection Area | Recommended Actions |
| Number Protection | Document attack timing, volume, and sender information File police reports for harassment or threats. Request carrier assistance in blocking source numbers. Monitor all accounts for unauthorized access attempts |
| MFA Best Practices | Document attack timing, volume, and sender information. File police reports for harassment or threats. Request carrier assistance in blocking source numbers. Monitor all accounts for unauthorized access attempts |
| Incident Response | Prefer authenticator apps (Google Authenticator, Authy) over SMS Never approve unexpected or unsolicited MFA prompts. Contact the service provider immediately if SMS bombing occurs |
The SMS/OTP bombing threat landscape has matured significantly between 2023 and 2026, evolving from simple harassment tools into sophisticated attack platforms with commercial distribution. Our analysis of ~20 repositories containing ~843 endpoints reveals systematic targeting across multiple industries and regions, with concentration in Iran (61.68%) and India (16.96%).
The emergence of Go-based high-performance tools, cross-platform GUI applications, and Telegram bot interfaces indicates the professionalization of this attack vector. With 75% of analyzed tools implementing SSL bypass and 58% using User-Agent randomization, defenders face sophisticated adversaries simultaneously employing multiple evasion techniques.
Organizations must prioritize comprehensive rate limiting, dynamic CAPTCHA implementation, and robust monitoring to achieve the projected 85%+ attack prevention effectiveness. The financial impact—potentially exceeding $50,000 monthly for unprotected endpoints—justifies immediate investment in defensive measures.
As the ecosystem continues to evolve, continuous monitoring of underground forums, repository activity, and emerging attack patterns remains essential for maintaining effective defenses against this persistent threat.
| Tactic | Technique ID | Technique Name |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059.006 | Command and Scripting Interpreter |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate |
| Defense Evasion | T1090.002 | Proxy: External Proxy |
| Credential Access | T1110.003 | Brute Force: Password Spraying |
| Credential Access | T1621 | Multi-Factor Authentication Request Generation |
| Impact | T1499.002 | Endpoint Denial of Service: Service Exhaustion Flood |
| Impact | T1498.001 | Network Denial of Service: Direct Network Flood |
| Impact | T1496 | Resource Hijacking |
The post SMS & OTP Bombing Campaigns: Evolving API Abuse Targeting Multiple Regions appeared first on Cyble.
Cyble – Read More
More than two dozen advisories have been published by the chip giants for vulnerabilities found recently in their products.
The post Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed by Intel and AMD appeared first on SecurityWeek.
SecurityWeek – Read More
The bugs could be exploited without authentication for command execution and authentication bypass.
The post Fortinet Patches High-Severity Vulnerabilities appeared first on SecurityWeek.
SecurityWeek – Read More
Dozens of vulnerabilities, bugs, and potential improvements have been identified by the tech giants’ security teams.
The post Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise appeared first on SecurityWeek.
SecurityWeek – Read More
The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft.
“The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated
The Hacker News – Read More