SMS pumping attacks and how to mitigate them
Online forms that use SMS can be costly to organizations if they are vulnerable to SMS pumping attacks. Use the following methods to mitigate or prevent this fraud-based attack.
Not all cyber attacks infiltrate IT environments to steal information. Some attacks, still fueled by money, focus on fraud instead. One such fraud-based attack is SMS pumping.
What is SMS pumping?
In an SMS pumping attack, malicious actors take advantage of SMS systems connected to online forms or web apps -- for example, where users request a download link or one-time passcode (OTP). Attackers use bots to automatically input premium rate phone numbers into online forms connected to SMS systems. These numbers charge higher prices to contact, thereby providing more money to the mobile network operators (MNOs) that control those specific numbers. Attackers make their money by either exploiting unwitting MNOs or working with unscrupulous MNOs to receive a portion of the revenue generated from the premium rate phone numbers.
SMS pumping attacks are also known as SMS artificially inflated traffic, SMS OTP fraud or artificially generated traffic.
Approximately 6% of all SMS traffic between December 2021 and December 2022 was flagged as SMS pumping by Lanck Telecom. In February 2023, Elon Musk claimed SMS pumping attacks cost Twitter $60 million per year. Twitter removed two-factor authentication (2FA) via text -- except to verified Twitter Blue users -- due to these attacks. The move aimed to save money by limiting 2FA SMS use to only subscription customers.
How to detect SMS pumping attacks
SMS pumping attacks are often initially detected when an unusual number of SMS notifications are requested or when a spike in certain types of phone numbers -- such as premium rate numbers -- requesting SMS notifications is detected.
To detect SMS pumping attacks, Andras Cser, analyst at Forrester Research, recommended organizations pay attention to the phone numbers being used on password reset, registration and similar webpage forms. "This includes understanding the device ID and reputation of the site that plugs in these unusual numbers," he said.
After detecting spikes in SMS notification requests, ask the following questions to uncover whether it's an SMS pumping attack:
- Are the numbers from countries the organization rarely or never has customers in?
- Are the requests over a short period of time?
- Are the phone numbers sequential to each other -- for example, +1111111000 and then +1111111001, etc.?
- Are web forms only partially completed?
- Are conversion rates dropping?
If the answer to any of these questions is yes, it may be an SMS attack.
How to prevent and mitigate SMS pumping
Preventing SMS pumping attacks from occurring in the first place is key. Attacks can also be mitigated to lessen their effects. Use the following prevention and mitigation methods:
- Implement CAPTCHA. Using CAPTCHA or an open source library called BotD on website signup pages enables organizations to weed out bots. CAPTCHA would force bad actors to submit phone numbers manually, severely slowing down attacks and making them less worthwhile.
- Rate-limit how many SMS messages can be sent. Use products that allow rate limiting of how many messages can be sent over a period of time instead of allowing systems to send an unlimited number of SMS messages to the same phone number. "This may not prevent fraud, but it might discourage [attackers] from targeting your app," said Mike Gannon, product marketing manager at Soprano Design, a communication PaaS provider.
- Delay verification retries. Users sometimes need to resubmit their phone number in an OTP or similar form shortly after their first attempt. Delay when additional SMS messages can be sent instead of allowing multiple retries within seconds of each other. This slows down and frustrates attackers.
- Use geographic permissions. Disable sending messages to numbers from countries where the company doesn't do business, recommended Anthony Graham, senior product marketing manager at Plivo, a cloud communications platform. This limits where attackers can use premium rate phone numbers from and reduces potential fraudulent charges.
- Verify numbers before sending. Determine whether the phone number submitted in the form is indeed a regular -- not a premium rate -- mobile number. Carrier lookup services from API communication platform Twilio or communication platform Dexatel, for example, report which carrier provides a number to help organizations decide if it's worth blocking the carrier.
- Require additional info from users. Require users to provide more information than just their phone numbers in any online form. This may affect UX but deters bad actors from targeting an organization and reduces the ability to easily use bots to generate traffic.
- Remove 2FA SMS. If a viable solution, remove the option to send OTPs to SMS numbers for 2FA. This may not always be possible, however. OTPs aren't the strongest security-wise, but they do offer cost and UX benefits.