| ID | Name |
|---|---|
| T1496.001 | Compute Hijacking |
| T1496.002 | Bandwidth Hijacking |
| T1496.003 | SMS Pumping |
| T1496.004 | Cloud Service Hijacking |
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.[1] SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.[2]
Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.[1][3] In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.[1]
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance |
Consider implementing CAPTCHA protection on forms that send messages via SMS. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0156 | Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs | AN0443 |
Automated and repetitive triggering of SMS messages through OTP/account verification fields on SaaS platforms, leveraging background messaging APIs such as Twilio, AWS SNS, or Amazon Cognito to generate traffic toward attacker-controlled numbers. |