Story Highlights

These are the early days of WhatsApp black markets and very few people, including security experts, know about them

OTP groups consist of sellers selling OTPs for app-based services ranging from Uber, Ola and PayTm to Cafe Coffee Day and BookMyShow

There are also groups offering items, mostly electronics, bought from ecommerce sites using stolen credit card details at heavily discounted prices

Unknown to most of us, WhatsApp black market groups facilitating illegal trading in one-time passwords (OTPs), carding scams and other dodgy activities are proliferating in India, giving rise to the social media parallel of the darknet.

You can buy and sell bulk OTPs that allow you to hack into offers from popular app-based services like Uber, Ola and more. There are also groups offering items, mostly electronics, bought from ecommerce sites using stolen credit card details at heavily discounted prices.

Till some time ago, it was just the deep web or the darknet — which not everyone knows about and which is not easy to access — where contraband, porn, fake IDs, credit card details and other hacked user data were sold.

By moving to the chatting app, such illegal trade is becoming mainstream, allowing cybercriminals to reach out to India’s huge userbase of 200 million WhatsApp users.

What’s more, traders can be brazen in their dealings as they have no fear of being caught. Data privacy laws and WhatsApp’s encryption policy make it next to impossible for cybercrime authorities to track such black markets. The fact that most users on these groups sign up with virtual numbers — use-and-throw proxy numbers that can be generated using apps — makes it even more difficult. India’s national encryption policy draft excludes WhatsApp users from the mandate of keeping a 90-day record of all their encrypted communications.

These are the early days of WhatsApp black markets and very few people know about them. FactorDaily spoke to a number of security experts and most of them were unaware of the existence of such groups.

One of the few experts who did, Prasanna Venkatesh, explained why these activities are moving to WhatsApp: “It is because of the huge reach of the chat app and the ease with which you can interact on it. Using the dark web and staying anonymous online requires much more expertise as compared to WhatsApp. It is much easier to get virtual numbers nowadays, and the digital miscreants can use them for WhatsApp while hiding their identities.”

Black markets on your smartphone

Gaining access to one of these groups is not very difficult. They function like regular WhatsApp groups where all you need is access to someone who can add you to the group or receive a link to join the group. It took me just a bit of digging to get into a few such groups, some of which deal in the sale of bulk OTPs for various apps and others offering carding and IPL betting services.

During the course of research for this story, I came across 15 such groups, of which I joined five.

The OTP groups consist of sellers selling OTPs for app-based services ranging from Uber, Ola and PayTm to Cafe Coffee Day and BookMyShow. OTPs are usually used to authenticate a signup or cash in on freebies like cashbacks, discounts and rewards; they’re also help in detecting a returning user. These groups sell OTPs paired with different numbers so that users can cash in on discounts and offers more than once.

There are also groups offering carding services — trafficking of credit card, bank account and other personal information to enable financial frauds, IPL betting and more such illegal activities. If you Google for some of these hacks, most of the posts end with a WhatsApp number — a clear sign that these scams are moving to WhatsApp.

The sellers on these groups don’t seem to be hackers but are more like scammers who have found loopholes in the process of the apps they’re targeting. Another security expert, who did not want to be named, said it is very difficult to hack an app unless it is very badly designed, but scams are a different matter altogether — they just work through loopholes in the way these apps function and don’t need much technical skill.

One must keep in mind, however, that these groups are often scams within a scam and many of the offers are fake and don’t actually work.

So, how secure are OTPs?

All this while you’ve been thinking OTPs are completely secure. But they’re obviously not as secure as you think if they’re being traded in.

Here’s how OTPs work: Most mobile apps today, be it banking apps, ewallet or ecommerce apps, rely on OTPs to verify signups. A lot of these signups come with freebies ranging from free rides on taxi apps to free cashback in ewallets.

What makes it difficult to scam these apps is the fact that the OTPs are linked to individual mobile numbers and are crosschecked in the backend for verification. In the case of cashbacks and other such offers, this also makes it easy for the app developer to differentiate a returning customer from a new user, and hence prevents people from scamming for duplicate offers.

But OTPs sent over SMS, which are not secure. “Anybody on the source-destination passage (of an SMS) can intercept and access them. Companies often use APIs to push OTP SMSes to their users from a third party and they’re carried by telecom service provider. Everybody on that route can access the contents of the messages if they want to,” says IT consultant and FactorDaily contributor Thejesh GN.

With the phenomenal spike in the use of social media in India, it is but natural for criminals to veer towards using it to carry out illegal activities and trading.

In fact, social media seems to be fast replacing/supplementing the deep web with even contraband and porn being sold on social media channels. Recently, Hyderabad Police caught a doctor based in the city selling marijuana-laced chocolates on Instagram; there were also cases of rape videos being sold via WhatsApp in Uttar Pradesh.

Seems like no matter how many new steps government law enforcement agencies take to curb cybercrime in India, criminals will always be two steps ahead of them.

Also read:

The encryption policy will be back soon, here’s what you need to know

WhatsApp Privacy: India’s apex court issues notices to Facebook & others

WhatsApp group admins, breathe easy: Delhi HC says you’re not liable for content in groups

Uncleji, please stop sending sexist jokes on WhatsApp and take your Men’s Rights Activism elsewhere

Other stories on cybersecurity