SMS pumping attacks and how to mitigate them

What is SMS pumping?

In SMS pumping attacks, malicious actors take advantage of SMS systems connected to online forms and web apps. For example, when a user requests a download link or a one-time passcode (OTP). The attacker uses a bot to automatically fill a premium rate phone number into an online form connected to her SMS system. These numbers charge higher telecom rates, thus giving more money to the mobile network operators (MNOs) who manage these specific numbers. The attacker is profiting by either unknowingly exploiting her MNO or cooperating with her malicious MNO to receive a portion of the proceeds from premium her rate phone numbers. increase.

SMS pumping attacks are also known as SMS artificially increased traffic, SMS OTP scam again artificially generated traffic.

About 6% of all SMS traffic from December 2021 to December 2022 was flagged as SMS pumping by Lanck Telecom. February 2023, Elon Musk claimed SMS pumping attacks cost Twitter $60 million annually. Twitter removed his two-factor authentication (2FA) by text except for verified Twitter Blue users due to these attacks. The move was intended to save money by limiting the use of 2FA SMS to subscription customers only.

How to detect SMS pumping attacks

An SMS pumping attack should first be detected when an unusual number of SMS notifications are requested, or when a spike in certain types of phone numbers requesting SMS notifications (such as premium rate numbers) is detected. is often

Forrester Research analyst Andras Cser recommends that organizations pay attention to phone numbers used in password reset, registration, and similar web page forms to detect SMS pumping attacks. increase. “This includes understanding the device IDs and reputation of the sites that plug in these anomalous numbers,” he said.

If you detect a spike in SMS notification requests, ask the following questions to clarify whether it is an SMS pumping attack.

• Are the numbers from countries where the organization has few or no customers?
• Is your request short term?
• Are the phone numbers consecutive? For example, +1111111000 and +1111111001.
• Is your web form only partially completed?
• Is your conversion rate dropping?

If the answer to any of these questions is yes, it could be an SMS attack.

How to prevent and mitigate SMS pumping

It’s important to prevent SMS pumping attacks from happening in the first place. You can also mitigate attacks to reduce their impact. Use the following prevention and mitigation methods:

• Implement CAPTCHAs. Using an open source library called CAPTCHA or BotD on the signup page of a website helps organizations keep bots out. By forcing the attacker to manually submit the phone number, CAPTCHA significantly slows down the attack and reduces the value of the attack.
• Rate limit the number of SMS messages that can be sent. Instead of allowing the system to send an unlimited number of SMS messages to the same phone number, use a product that allows you to rate limit the number of messages that can be sent over a period of time. “This may not prevent fraud, but it may deter [attackers] said Mike Gannon, product marketing manager at communications PaaS provider Soprano Design.
• Delay validation retries. The user may need to resubmit their phone number in an OTP or similar form immediately after the first attempt. Instead of allowing multiple retries within seconds of each other, delay the time before you can send additional her SMS messages. This slows it down and frustrates attackers.
• Use geographic authority. Anthony Graham, senior product marketing manager at cloud communications platform Plivo, recommends disabling sending messages to numbers from countries where the company doesn’t operate. This limits where attackers can use premium his-rate phone numbers, reducing potential fraudulent charges.
• Please check the number before sending. Determines if the phone number submitted in the form is a regular mobile number rather than a premium rate. For example, the carrier lookup service of API communications platform Twilio and communications platform Dexatel reports which carrier provides the number and determines whether it is worthwhile for an organization to block that carrier. help you to
• Request additional information from the user. Require users to provide information other than phone numbers in an online form. While this may affect her UX, it deters bad actors from targeting your organization and reduces your ability to easily use bots to generate traffic.
• Remove 2FA SMS. Remove the option to send OTPs to 2FA SMS numbers if that is a viable solution. However, this is not always possible. OTP isn’t the strongest in terms of security, but it does have cost and his UX benefits.