The cyberattack known as SMS toll fraud, or SMS traffic pumping, has officially become a big problem for many businesses today. These SMS scams involve using text messages to deceive people, steal sensitive information, and exploit weaknesses in a company's systems. The consequences of SMS fraud can be severe, leading to financial losses, damage to a company's reputation, and legal troubles.
While it’s concerning that criminals now employ the same tools and tactics for SMS toll fraud as they do for other attacks, such as account takeovers or fake account creation, there are a few distinct signs available to help businesses identify this threat. Recognizing these nuanced signs is the first step in building a robust defense against the growing financial threat of SMS fraud.
The nuances of SMS fraud
Businesses concerned about SMS fraud should remain vigilant of these three key telltales that can help pinpoint instances of this threat: geography, automation, and velocity. Understanding these three indicators can help enterprises stay protected from a variety of SMS scams:
- Geography: Although SMS fraud can look and feel like other attacks, there are some nuanced signs that are indicative of this specific threat. Geography is one. Certain countries are more susceptible to SMS because there is a stronger economic incentive for attackers to use telecom networks in those countries. A single SMS verification request can cost anywhere from 25-50 cents in some countries with legacy telecom infrastructure vs. in the USA, where it is a fraction of a cent. If attackers with connections in those countries can send traffic in mobile networks via an SMS to verify, that’s a huge incentive.
Although attackers often use proxies and VPNs to mask their true location, bad actors sometimes fail to route traffic through their attack tools, which means small signals come through indicating their true geographic location. Robust bot detection involves checking the reputation of connection types to see if they’ve been used for abuse in the past, as well as examining the volume of traffic from a specific IP address. Attackers work hard to mask their geographic location so fraudulent traffic is allowed through. - Automation: Threat actors also frequently use tools like headless browsers to automate bot attacks and penetrate defenses. A headless browser is a web browser that operates without a graphical user interface. Unlike traditional web browsers like Chrome, Firefox, or Safari, which display web pages to the user with a graphical interface, a headless browser interacts with websites programmatically, making it useful for automating tasks and web scraping.
Attackers use headless browsers as they can more efficiently run many instances of them to automate their attacks and oftentimes this automation is performed via the selenium framework. One way this malicious traffic can be distinguished from regular users is by examining the javascript that is run on these clients. Our threat researchers have observed cybercriminals frequently make mistakes when trying to blend in with normal traffic, for example by claiming they are running a different graphics library than actually measured by Arkose Labs’ javascript. - Velocity: Unlike normal users, who send SMS verify requests intermittently across expected hours, bots utilized for SMS fraud frequently create a large volume of SMS requests to high-cost numbers—all in a short period of time. These spikes in requests are inconsistent with the natural flow of traffic typically seen in human-generated web interactions. Often, these fraudulent SMS requests come from specific ASNs, IP addresses, or from devices not typically used by regular users of the service. The velocity and overall volume of these requests is frequently anomalous and much higher, with the intent to maximize the attacker's share of SMS revenue before being discovered. Early detection of these velocity-based anomalies is critical to mitigate damage from SMS fraud actors.
The real cost of SMS traffic
When there is a spike in customer traffic, the velocity and volumetric-based anomaly detection mechanisms of a robust bot management solution will serve as a frontline detection. Attackers utilizing headless browsers and other automation tools will also be flagged by specific signals generated from their client side javascript. If this traffic is allowed to pass through to successfully send SMS verify requests from a high cost geography, costs quickly add up. SMS requests to a high cost number in a country like Indonesia or Russia can average over $0.35 per message. Thousands of dollars can be spent on this fraudulent traffic in just a 15-minute window if these requests are not properly detected and mitigated.
At this point, it’s clear to see what’s different about SMS fraud—the upfront cost for the customer. With SMS scams, the customer has no way of mitigating the cost at the end. Once there is an SMS verification, it’s an immediate charge out of pocket. Unlike other attacks, SMS fraud often goes undetected until the bill arrives.
Arkose Labs for SMS fraud
Arkose Labs analyzes traffic against telltale signs of malicious intent like SMS fraud to distinguish automated and human attackers from good users. Our solution, Arkose Bot Manager, uses a combination of machine learning, global telemetry, and the adaptive step-up challenges of Arkose MatchKey to accurately identify and differentiate malicious from legitimate web traffic. This approach helps businesses prevent attacks like SMS toll fraud from reaching their intended targets, thereby minimizing impact and risk.
Share The Blog
