Understanding SMS Pumping: Preventing the Growing Threat of SMS Toll Fraud
SMS pumping or SMS Toll Fraud is an attack type which greatly increases the operating costs of companies which use SMS to communicate with their customers. The prevalence of these attacks has increased significantly across the tech industry in the last couple of years meaning there are a growing number of companies that find themselves with an SMS bill that has unexpectedly grown exponentially. Flipdish has had eyes on this issue for 5+ years now and we feel we have learned a lot that may help others in preventing similar attacks on their system.
The basic premise of these attacks is that a bad actor will take advantage of the input fields within a system that send customer SMSs. These SMSs can be powering any part of your system from initial account confirmation to notifying customers that an order has been cancelled. If your system gives an attacker the ability to send multiple SMSs, it is a target that attackers will use to repeatedly send SMSs to phone numbers that they control.
What motive could someone have for such an attack? Initially we couldn’t fathom many valid reasons. So we started digging. We found that attackers will request thousands upon thousands of SMS to be sent through a single mobile operator network. For each SMS that goes through that network, the attackers get a small share of the generated revenue. For example an SMS might cost €0.03 to send. If that SMS travels through the attackers network, they might get 10% of that. This may seem like an insignificant sum, but when multiplied by millions of SMSs the potential financial gains start to quickly add up.
