What is ``SMS traffic pumping fraud'' that demands two-factor authentication SMS?

When a call is made across mobile phone carriers such as 'NTT docomo and au', the called party charges the calling party a 'connection charge' (access charge). The act of exploiting this mechanism is called '

traffic pumping ', and 'unlimited voice call service' is often used illegally, but a new method called 'SMS traffic pumping fraud' was born. It is reported that there are

SMS Traffic Pumping Fraud – Twilio Support

SMS Fraud Takes A Toll: The Evolving Threat of SMS Pumping and Toll Fraud - Security Boulevard


'Traffic pumping' is based on 'connection charges' exchanged between telecommunications carriers. The person receiving the call appears to be making the call for free, but in reality there is a cost incurred, which the carrier collects from the caller. In the case of a call that straddles telecommunications carriers, the called party will bill the calling party as a 'connection fee'. In an article on Keitai Watch, Junya Ishino recalls the past in 2009 when NTT Docomo was charged excessive connection fees from Softbank.

In the traffic pumping procedure, the unscrupulous group first prepares multiple phone numbers that have contracted for unlimited voice calls. The number is then used to make a large number of calls to numbers controlled by another carrier. At that time, instead of making a call manually, a bot etc. will be used.

Telecommunications carriers that receive a large number of calls can receive a large connection fee according to the time from the originating telecommunications carrier, and provide part of it to the unscrupulous group as an incentive. In other words, by collusion between the unscrupulous group and the telecommunications carrier on the receiving side, both parties will be charged a connection fee. In addition, this collusion makes it possible to protect yourself from investigations and exposures related to claims for padding connection fees, which are originally illegal.

At first glance, it seems that there is no damage or impact on general users, but if traffic pumping increases, there is a risk that it will hinder business and revenue, and as a result, we will have to raise the price of unlimited voice call services. It has been pointed out that there is a possibility that it will not be possible to obtain

A user who said that his mobile phone was abused for traffic pumping because his mobile phone was stolen said, ``In 10 hours until the SIM card is locked, the thief has 100 hours of Algerian phone numbers. I made a fairly expensive voice call, and a total of $ 10,000 (about 1.4 million yen) of damage

occurred .'

In recent years, in addition to traffic pumping using voice calls, a new fraud method called 'SMS traffic pumping fraud' has been reported.

' Phone numbers with premium prices ' are used for SMS traffic pumping scams. This is a phone number that charges the caller a premium when calling. Many of these numbers are used on support chats and adult sites. Call charges paid by the caller will be paid not only to the telecommunications carrier, but also to the operator of the support chat and adult site.

The fraud group sets this phone number as their own phone number and searches for a service that sends SMS. In doing so, it targets businesses that use SMS for two-factor authentication.

When the fraud group poses as a user and performs two-factor authentication, the net service will send an SMS to the target phone number. The SMS transmission fee added by the premium price is charged to the net service, and the money is paid to the fraud group. By exploiting this mechanism, the vendor creates a bot account, requests a large amount of SMS, and steals the SMS transmission fee from the net service.

Once the SMS traffic pumping scam is successful, the scammers will regularly change their phone number and make repeated SMS requests. It will also launch attacks against other targets in the list held by the fraudulent group, using the same techniques that have worked for other targets.

Elon Musk reported in February 2023, ``Twitter is suffering from SMS traffic pumping fraud of $60 million annually.''

The SMS traffic pumping scam is defined as ``the telecommunications carrier used by the fraudulent group participates in a series of frauds and enters into an incentive distribution agreement with the group'' or ``the telecommunications carrier is unintentionally used for fraud by the fraudulent group. It is said that two scenarios can be considered.

As a way to check if you're a victim of an SMS traffic pumping scam, cloud communications platform

Twilio reported a spike in messages from neighboring phone numbers such as +1111111110, +1111111111, +1111111112, +1111111113. If so, you may be suffering from SMS traffic pumping.'

As a means of preventing SMS traffic pumping fraud, Twilio has rate limits such as 'enable anti-fraud guard', 'disable receiving SMS from unintended countries', and 'do not receive more than 1 SMS per second' It is recommended that

Also, 'Introduce CAPTCHAs etc. to detect and prevent bot traffic', 'Introduce a delay between verification retry requests to prevent high speed traffic', and 'Use carrier lookups '. countermeasures such as checking the phone number of the other party before receiving SMS, monitoring the number of one-time passwords issued, and issuing a warning if the number exceeds a specified number.

in Mobile,   Security, Posted by log1r_ut