by Justin Massey
August 17, 2023
Is your answering service vulnerable to an SMS-pumping attack? What even is an SMS-pumping attack? This attack gained media attention recently when Elon Musk said that Twitter was paying over $60 million per year for fraudulent text messages due to hackers exploiting this attack technique. In this blog post, Relay Hawk will break down if you should be concerned with SMS pumping fraud and how you can ensure you do not wind up with a $60 million invoice from your telco provider.
Before understanding how the attack works, knowing the attacker’s motive is important. In this scenario, the attacker wants to find a way to trick your business into texting a premium-rate phone number. Your telco will be charged a premium rate and will pass this rate to you. The attacker will then receive a portion of this premium rate. The price earned per text message is minimal, so the attacker must work at scale for them to make their time worth their money.
Attackers scour the Internet for websites that will send them text messages for any reason. Some websites will send users a confirmation text when registering for an account. Some websites will send one-time passwords. Other websites will send two-factor authentication (2FA) messages. Some websites will send a text message after a sales lead completes a landing page.
There are many different use cases for automatically sending text messages, so please keep your mind open when reading this blog.
After the attacker has identified a website that sends text messages, they must write the attack tooling to automate the attack. The attacker will automate any process associated with the attack, such as creating an account and logging the user in.
The attacker will then launch their attack, and the website owner will be on the hook for the charges associated with the texts to the premium-rate numbers.
Let’s take, for example, that an attacker identifies a website that sends users a 2FA text message when logging into the account. The attacker will also research how quickly they can request new 2FA messages from the same account. Some applications may only send one text every 30 seconds. Other applications may not implement any rate limiting and allow the user to request as many 2FA codes as humanly possible.
The attacker must send many text messages to earn enough money to make the attack profitable. This means they will need to increase the number of accounts on the website to send 2FA messages. After the accounts have been created and configured with the premium-rate phone numbers, the attacker will automate the login process and request as many text messages as the system will allow.
This attack has increased in prevalence over the past several years, according to Vladimir Smal with Lanck Telecom. It recently made the headlines when Elon Musk mentioned that Twitter (now X) was being scammed $60 million per year in fraudulent text messages due to this style attack. Lanck Telecom estimates that 6% of all SMS traffic is artificially generated by these sorts of attacks. Artificial traffic is much higher, 50-80%, for some mobile networks.
In order to know if your answering service is vulnerable to this attack, you should ask yourself the following questions:
If you answered yes to any of those questions, you could be vulnerable to this attack. However, you should keep in mind that the attacker must be able to easily scale this attack to make it profitable.
If your answering service requires a human to be involved with the onboarding of your customer, then the attacker is likely not going to target this application. However, It is important for you to think through all possible scenarios that you may have implemented that involve text messaging.
Anti-Bot Measures: One of the primary sources of SMS pumping fraud exists when a website allows a user to register and send a text message to the phone number the user provided. The first component to prevent this attack is to ensure that usser is a human. You can implement anti-bot technology such as Google’s reCAPTCHA to identify whether the user creating the account is a human or a bot. If you implement reCAPTCHA, an attacker would manually have to run this attack against your application which would not be profitable.
Extending reCAPTCHA: You should also consider adding reCAPTCHA to other parts of your applications, such as user logins, password resets, or anywhere that an attacker may try to trigger a text message.
Rate Limiting: Another mitigation strategy is to implement rate limiting. If a user requests the same information 10,000 times within one minute, you likely do not want to text the user 10,000 times. Consider implementing a rate limit to reduce the text messages sent to this number.
Geographical Restrictions: Many fraudulent text messages are sent to non-US countries. You can contact your telco provider and request they disable texting to non-US countries or countries in which you do not conduct business.
Billing Spike Notifications: Relay Hawk recommends implementing billing spike notifications with your telco provider. If your telco detects your application sending an abnormal amount of messages, they should notify you when they detect it rather than you seeing the high price on your next invoice.
By adopting these proactive measures, you can protect your answering service against SMS-pumping attacks.
In this blog post, we have covered how an SMS pumping attack works, an example attack, how to identify whether you are vulnerable, and how to protect your answering service from this attack.
Relay Hawk proactively worked with its customers to ensure they were not vulnerable to this attack. If you would like to have a cybersecurity company proactively identify security issues for your answering service, schedule a call with Relay Hawk today!
Keep up to date
Get the latest cybersecurity news and tips from our experts