Resource Hijacking: SMS Pumping

Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.[1] SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.[2]

Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.[1][3] In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.[1]

ID: T1496.003
Sub-technique of:  T1496
Tactic: Impact
Platforms: SaaS
Impact Type: Availability
Version: 1.0
Created: 25 September 2024
Last Modified: 16 October 2024

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Consider implementing CAPTCHA protection on forms that send messages via SMS.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for excessive use of SMS services, especially on public sign-up forms. For example, alert on large quantities of messages sent to adjacent numbers. In SMS-based OTP flows, monitor for large quantities of incomplete verification cycles.[2] In Amazon Cognito environments, monitor for spikes in calls to the SignUp or ResendConfirmationCode API.[3]

References