The cyberattack known as SMS toll fraud, or SMS traffic pumping, has officially become a big problem for many businesses today. These SMS scams involve using text messages to deceive people, steal sensitive information, and exploit weaknesses in a company's systems. The consequences of SMS fraud can be severe, leading to financial losses, damage to a company's reputation, and legal troubles.
While it’s concerning that criminals now employ the same tools and tactics for SMS toll fraud as they do for other attacks, such as account takeovers or fake account creation, there are a few distinct signs available to help businesses identify this threat. Recognizing these nuanced signs is the first step in building a robust defense against the growing financial threat of SMS fraud.
[resource_post_by_id id="30150"]
The nuances of SMS fraud
Businesses concerned about SMS fraud should remain vigilant of these three key telltales that can help pinpoint instances of this threat: geography, automation, and velocity. Understanding these three indicators can help enterprises stay protected from a variety of SMS scams:- Geography: Although SMS fraud can look and feel like other attacks, there are some nuanced signs that are indicative of this specific threat. Geography is one. Certain countries are more susceptible to SMS because there is a stronger economic incentive for attackers to use telecom networks in those countries. A single SMS verification request can cost anywhere from 25-50 cents in some countries with legacy telecom infrastructure vs. in the USA, where it is a fraction of a cent. If attackers with connections in those countries can send traffic in mobile networks via an SMS to verify, that’s a huge incentive. Although attackers often use proxies and VPNs to mask their true location, bad actors sometimes fail to route traffic through their attack tools, which means small signals come through indicating their true geographic location. Robust bot detection involves checking the reputation of connection types to see if they’ve been used for abuse in the past, as well as examining the volume of traffic from a specific IP address. Attackers work hard to mask their geographic location so fraudulent traffic is allowed through.
- Automation: Threat actors also frequently use tools like headless browsers to automate bot attacks and penetrate defenses. A headless browser is a web browser that operates without a graphical user interface. Unlike traditional web browsers like Chrome, Firefox, or Safari, which display web pages to the user with a graphical interface, a headless browser interacts with websites programmatically, making it useful for automating tasks and web scraping. Attackers use headless browsers as they can more efficiently run many instances of them to automate their attacks and oftentimes this automation is performed via the selenium framework. One way this malicious traffic can be distinguished from regular users is by examining the javascript that is run on these clients. Our threat researchers have observed cybercriminals frequently make mistakes when trying to blend in with normal traffic, for example by claiming they are running a different graphics library than actually measured by Arkose Labs’ javascript.
- Velocity: Unlike normal users, who send SMS verify requests intermittently across expected hours, bots utilized for SMS fraud frequently create a large volume of SMS requests to high-cost numbers—all in a short period of time. These spikes in requests are inconsistent with the natural flow of traffic typically seen in human-generated web interactions. Often, these fraudulent SMS requests come from specific ASNs, IP addresses, or from devices not typically used by regular users of the service. The velocity and overall volume of these requests is frequently anomalous and much higher, with the intent to maximize the attacker's share of SMS revenue before being discovered. Early detection of these velocity-based anomalies is critical to mitigate damage from SMS fraud actors.
