author
Jan Schuster2023-06-01

Artificially Inflated Traffic (AIT): how to prevent fraud of A2P SMS

The A2P SMS industry and their customers are facing a new type of fraudulent attacks involving unwanted generated SMS traffic, called Artificially Inflated Traffic. Inadequately secured web services are exploited to trigger this type of SMS messages. It is currently almost impossible to identify those behind the attacks. Although the number of companies affected by this type of attack is still limited, we at LINK take this seriously and therefore want to inform you on how you can reduce the risk of them affecting your company.

Explanation of occurring abbreviations:

  • CAPTCHA: Stands for Completely Automated Public Turing test to tell Computers and Humans Apart and are tools you can use to identify real users and automated users, e.g., bots

  • A2P: Application-to-person is any type of traffic where a person receives messages from an application

  • OTP: One-Time Password, i.e., password that is only valid during one login session

  • AIT: Artificial Inflation of Traffic is a type of SMS fraud that generates fake SMS traffic through apps and websites where the attackers make huge financial gains

  • MSISDN: Mobile Station International Subscriber Directory Number is the complete number of users (e.g. a mobile phone number).

What is Artificially Inflated Traffic?

Artificially Inflated Traffic (AIT) is a new type of SMS fraud where actors generate large volumes of fake traffic through apps or websites. The fraud usually takes place through so-called OTP SMS (One-time password SMS), where the fraudster uses bots that generate fake accounts to trigger OTP SMS to several mobile numbers. There are multiple parties involved in this type of attack, one who performs the actual attack and a rogue actor who then intercepts the inflated traffic without actually delivering messages to the end user. Large amounts of unwanted SMS traffic are generated by calling the service repeatedly. Both actors ultimately generate large profits from the attacks.

Traffic fraud occurs through end users and against weakly protected web services, such as web forms and apps that can generate A2P SMS. The traffic is sent from a customer's normal system and the messages have no abnormal content. An attack and the result of a marketing campaign or expansion into a new market can have almost identical traffic patterns.

We help you manage and reduce the risk of traffic fraud. However, it is important to point out that the attacks are not due to security flaws in LINK Mobility's solutions, networks, platforms, APIs or applications. To counter this type of attack, LINK's NOC monitors our systems 24/7 and can therefore step in and stop an attack when it is detected. But even when an attack occurs, it can be difficult to detect it from the provider's side. To improve protection, we therefore encourage our customers to increase the security of their customer services that can generate A2P SMS so that the risk of AIT can be minimized.

How do AIT attacks happen?

Below we list the most common situation where AIT attacks have been detected. They mainly take place through web forms and smartphone apps that can trigger A2P SMS:

  • Sign up via SMS

  • Sign up via SMS with two-factor authentication

  • Change MSISDN for two-factor authentication

  • SMS with AppStore URL for mobile

  • Send SMS with AppStore link to mobile

Web form attacks can easily be triggered by bots, while attacks on apps can be triggered by bots on smartphone emulators and by extracted API credentials from the app.

What you can do to prevent attacks

To counter these types of attacks, there are several measures you can take, thus minimizing the risk of them happening. You can, among other things:

  • Block or whitelist markets to limit sending to countries outside your target markets

  • Implement rate limit for sending's to countries outside your target markets

  • Implement a sophisticated CAPTCHA (e.g. Google reCaptcha)

  • Manually or automatically review the SMS statistics per country

  • Apply countermeasures to all processes that include SMS (registration, login, update user data, opt-out, etc.)

Countermeasures known to be circumvented by attackers

We also want to inform you about measures that can be easily bypassed by the attackers and therefore do not provide good protection. However, this does not mean that the measures are useless and cannot counter possible attacks. However, they offer no guarantee of stopping persistent malicious hackers. Listed below are these measures and how attackers circumvent them:

AIT CountermeasuresHow Attackers circumvent the measure
Limit number of requests per IP addressattackers use botnets to exploit multiple IP addresses
Blocking of IP addresses and IP rangesattackers use botnets to exploit multiple IP addresses and ranges
Block sending SMS to the same MSISDNattackers generate multiple random MSISDNs
Block to many different MSISDNs from one IPattackers circle different MSISDNs through different IPs
Use of simple CAPTCHAsattackers use text recognition or cheap labor to solve CAPTCHAs
Monitor high number of undelivered messages per countryattackers return fake DLRs

Attacker’s behavior to avoid blocking

  • There is a pattern in how the attackers behave to bypass blocking of attacks. Keep those in mind when increasing the security of your systems:

  • The AIT attacks begin at night, before weekends and public holidays, i.e., at times when systems usually are less monitored.

  • They start sending slowly in order to stay under the radar and document SMS volumes when traffic is blocked.

  • They then send further campaigns at a slower speed than documented blocking speed.

  • Sends SMS to many countries which cannot be completely blocked. Much of the traffic can be an indirect damage to hide SMS to the attackers’ target markets.

  • Synchronise used MSISDNs between the party that triggers the traffic and the party that aims to boost profit. Random numbers would result in a high number of undelivered messages. If the second party knows which incoming MSISDNs they must expect, they can return positive fake DLRs to a) avoid detection and b) discard the SMS (results in 100% margin and no risk of end user complaints).

    Our best advice is to consider the security of your web services that can generate A2P SMS traffic, so you can reduce the risk of Artificially Inflated Traffic. If you have any questions, please contact your local support team!

....