By Justin Massey
Is your call center vulnerable to an SMS-pumping attack? What is an SMS-pumping attack? This attack gained media attention recently when Elon Musk said that Twitter was paying over $60 million in fraudulent text messages due to hackers exploiting this attack technique. In this article, we’ll break down if your operation should be concerned with SMS pumping fraud and how you can ensure you do not wind up with a $60 million invoice from your telco provider.
What is the attacker’s motive? Before understanding how the attack works, knowing the attacker’s motive is important. In this scenario, the attacker wants to find a way to trick your business into texting a premium-rate phone number. Your telco will be charged a premium rate and will pass this cost to you. The attacker will then receive a portion of this premium rate. The price earned per text message is minimal, so the attacker must work at scale for them to make their time worth their money.
How does the attack work? Attackers scour the internet for websites that will send them text messages for any reason. Some websites will send users a confirmation text when registering for an account. Some websites will send one-time passwords. Other websites will send two-factor authentication (2FA) messages. Some websites will send a text message after a sales lead completes a landing page.
There are many different use cases for automatically sending text messages, so keep your mind open when reading this article.
After the attacker has identified a website that sends text messages, they must write the attack tooling to automate the attack. The attacker will automate any process associated with the attack, such as creating an account and logging the user in.
The attacker will then launch their attack, and the website owner will be on the hook for the charges associated with the texts to the premium-rate numbers.
SMS Pumping Attack Example
Let’s take, for example, that an attacker identifies a website that sends users a 2FA text message when logging into the account. The attacker will also research how quickly they can request new 2FA messages from the same account. Some applications may only send one text every 30 seconds. Other applications may not implement any rate limiting and allow the user to request as many 2FA codes as humanly possible.
The attacker must send many text messages to earn enough money to make the attack profitable. This means they will need to increase the number of accounts on the website to send 2FA messages. After the accounts have been created and configured with the premium-rate phone numbers, the attacker will automate the login process and request as many text messages as the system will allow.
Where has this attack been seen? This attack has increased in prevalence over the past several years, according to Vladimir Smal with Lanck Telecom. It recently made the headlines when Elon Musk mentioned that Twitter (now X) was being scammed $60 million per year in fraudulent text messages due to this style attack. Lanck Telecom estimates that 6% of all SMS traffic is artificially generated by these sorts of attacks. Artificial traffic is much higher, 50-80%, for some mobile networks.
- Does my sales process involve receiving a phone number to text and automatically text the phone number?
- Does my application support 2FA via text message?
- Does my application send one-time passwords via text message?
- Does any other part of my application send text messages?
If you answered yes to any of these questions, you could be vulnerable to this attack. However, you should remember that the attacker must be able to easily scale this attack to make it profitable.
If your operation requires a human to be involved with the onboarding of your customer, then the attacker is not likely going to target this application. It is, however, important for you to think through all possible scenarios that you may have implemented that involve text messaging.
- Anti-Bot Measures: One of the primary sources of SMS pumping fraud exists when a website allows a user to register and send a text message to the phone number the user provided. The first component to prevent this attack is to ensure that the user is a human. You can implement anti-bot technology such as Google’s reCAPTCHA to identify whether the user creating the account is a human or a bot. If you implement reCAPTCHA, an attacker will manually have to run this attack against your application which would not be profitable.
- Extending reCAPTCHA: You should also consider adding reCAPTCHA to other parts of your applications, such as user logins, password resets, or anywhere that an attacker may try to trigger a text message.
- Rate Limiting: Another mitigation strategy is to implement rate limiting. If a user requests the same information 10,000 times within one minute, you do not want to text the user 10,000 times. Consider implementing a rate limit to reduce the number of text messages sent to this number.
- Geographical Restrictions: Many fraudulent text messages are sent to non-US countries. You can contact your telco provider and request they disable texting to non-US countries or countries in which you do not conduct business.
- Billing Spike Notifications: Implement billing spike notifications with your telco provider. If your telco detects your application sending an abnormal number of messages, they should notify you when they detect it rather than you see the high price on your next invoice.
By adopting these proactive measures, you can protect your operation against SMS-pumping attacks.
Justin Massey, the founder of Relay Hawk, started answering phones for his family’s answering service at 16. Later, he became an IT administrator at a managed service provider. He now runs Relay Hawk, a cybersecurity company building products exclusively for the Telephone Answering Service industry.