Two-factor authentication PIN code attacks, SMS bot attacks, SMS PIN spam fraud, Artificially Inflated Traffic (AIT) – there are several names for this type of fraudulent activity that now affects so many online services and applications.
If you’re thinking, “Why are there random numbers in [random country] requesting PIN codes from us?” the chances are that your application is among those being impacted. SMS PIN code attacks are costly and seem to worsen (and become more widespread) as time goes on.
Why are AIT attacks so prevalent?
This is a tricky question. Artificially Inflated Traffic is where rogue third-party uses fake traffic to generate profit. However, this type of fraud is now seeping over into SMS technology with artificially inflated SMS PIN code requests. It’s one of 11 types of fraud crippling A2P messaging.
Initially, it seemed that fraudulent SMS PIN code requests got sent to a small subset of premium numbers where each SMS message generated income for the hacker. Here at Messente, we became aware of the problem, and as a defence mechanism, we’ve put filters in place that block the same phone number from receiving too many SMS PIN code requests.
Following this precaution, we’ve analysed the most common SMS PIN spam fraud cases. And we discovered that fraudulent SMS PIN code requests are sent to either consecutive phone numbers (e.g., containing 001, 002, 003, etc.) or totally random, yet large, sets of numbers belonging to the same provider’s range. They’re also sent to phone numbers that don’t follow the correct format for a specific country.
These PIN code requests are triggered automatically through ‘bots’, and every now and then, they manage to ‘hit’ an actual phone number and reach a real person, who of course, is confused about receiving a PIN code from a company they’ve never heard of. For businesses affected, this doesn’t convey a great impression.
Who is behind the AIT attacks?
Aggregators create AIT for two reasons: to make more revenue and profit, or they need to win a bid against another aggregator.
Some aggregators have built a script or a tool that exploits the loophole in the SMS verification tool. The bot repeatedly generates fake accounts, which generates fake traffic with the pin codes from the customer’s system. Aggregators then insert the code back into the customer’s platform; therefore, it looks like a successful transaction.
Since the message doesn’t actually reach any handsets or operators, the aggregator doesn’t pay for it, but they will charge the customer for it and get profit for themselves.
Sometimes, the code isn’t inserted back into the customer’s platform. When the conversion rate on one aggregator drops below a certain level, the client will switch to an alternative provider. For most large enterprises, the switch is automated between multiple providers, and thus an attack will lead to an automatic switch.
Some exclusive gateway providers
Exclusive gateway providers often have revenue commitments to the operator, meaning they have to guarantee a portion of revenue to the operator for the exclusive gateway management they have been awarded in a tender.
To win the tender and close the deal, the exclusive gateway providers will make commitments multiple times higher than the actual SMS volumes for the market or operator. This, in turn, means they need to generate fake traffic to reach it. If the market doesn’t have enough traffic, they’ll simply make more themselves.
Last but not least, some operators contribute to the AIT. When they sell non-allocated number ranges for AIT, these numbers get actively used. Hence, on paper, the operators can show a growth in user statistics.
More users mean more apparent market growth, bigger market penetration and share, and a higher stock price. AIT is a vested interest for the operators.
What’s the financial impact of AIT attacks?
The financial impact is often severe. We’ve seen this problem affect companies across various industries, including logistics, financial services, health tech and so on. The costs can escalate to tens of thousands of euros!
Here’s an example: one health-tech client of ours experienced a sudden hike in SMS traffic to Uzbekistan and neighbouring countries over two weeks. It cost a total of 13,000 €. The fraud was difficult to spot because the SMS content itself was legitimate. As a quick fix, we disabled SMS traffic to all markets except for the one the business operates in. And the client worked to put in place a more permanent fix through CAPTCHA verification
A similar case occurred for a ride-hailing app provider very recently. Thousands of SMS requests were triggered to phone numbers in Bangladesh, costing the company over 2,000 €. If we didn’t notice the unusual traffic hike towards this particular destination, the financial impact could’ve been far more damaging.
What are the top country numbers affected?
SMS PIN code messages are often requested to phone numbers in countries where the SMS price is high, for example, Russia, Ukraine, Azerbaijan, Kazakhstan, Iraq, Kuwait, and Pakistan, to name a few.
A good approach to help you spot SMS PIN spam fraud is to check whether text messages are being requested to countries where your company doesn’t typically operate.
How to avoid Artificially Inflated Traffic attacks
These tried and tested measures below will help you avoid costly SMS PIN spam fraud.
1. Set up CAPTCHA verification
Presenting CAPTCHA each time someone requests a PIN code via SMS on your website or application is the best way to AIT.
While this is an extra step for real users, it will eliminate the possibility of someone running a bot attack and continuously requesting PIN codes to different phone numbers. A single person requesting PIN codes to different numbers and completing CAPTCHA would be simply too time-consuming for a hacker.
2. Set your account to pre-pay
Pre-pay works like a damage control system. If you have a weekly or monthly prepayment on your account, an attack can cause only that much damage. Say you are paying a few thousand euros monthly, and the account is set to post-pay - one attack can easily double your monthly bill or even more. But if the account has been set on pre-pay system and has credits only for that one month, then that’s the maximum you’ll lose.
3. Limit the number of SMS PIN code requests
Another thing you could try is to set a limit on the number of SMS requests per IP address or session. So, if a hacker tries to request more than five SMS PIN code requests from the same IP within, say, 30 minutes, all additional requests could be rejected internally.
While public IP addresses can be spoofed, potential hackers would need to switch IP addresses after a set number of requests – which would be a lot of hassle.
4. Disable SMS delivery to destinations you don’t need
The SMS service is global, but if your clients are based only in selected countries, there isn’t a need to enable worldwide SMS delivery.
Messente can easily disable SMS delivery to all destinations where you don’t want to send messages. Then, whenever someone tries to send an SMS to a ‘disabled’ country via Messente, we reject the request at our end at no cost to you. While this won’t protect you from SMS bot attacks in your target market, this method will reduce the risk to your business.
5. Pick a provider you can trust
Evaluate thoroughly who is the partner for your business messaging. Try to find out how much they really know about AIT and if they are offering any solutions from their side. Or at least if they are working on it. Look into what processes and alerts they have to minimise or prevent AIT. And finally, see how transparent they are in sharing information about their business processes.
Messente can help you tackle AIT
It’s not possible to automatically detect which SMS requests are made by a bot and which come from a real user (because the content is identical and coming from the same source). However, monitoring your account and message statistics is one way to see whether hackers are targeting your company.
If you think AIT attacks are impacting your application or business, reach out to us immediately – we want to help! Rest assured, we’ll do our best to find a solution for your case.