Artificially Inflated Traffic (AIT) - what is it and what to do?

There are many ways that SMS fraud can occur. According to a Mobile Ecosystem Forum report fraud is a “wrongful or criminal deception, intended to result in financial or personal gain, against an individual or organization.”

Lately we have seen AIT attacks against a few customers.

Two-factor authentication PIN code attacks, SMS bot attacks, SMS PIN spam fraud, SMS pumping, Artificially Inflated Traffic (AIT) – there are several names for this type of fraudulent activity that now affects so many online services and applications.

Artificially Inflated Traffic is where a rogue third-party uses mobile-originated interconnect revenue share to generate profit, and it usually affects premium phone numbers through voice calls.

However, this type of scam is now seeping over into SMS technology with artificially inflated SMS PIN code requests.

These PIN code requests are triggered automatically through ‘bots’, and they target SMS-numbers or websites and request a PIN code via SMS messages. When possible, these large SMS volumes are sent to high-cost destinations, often internationally, which further inflates costs. When the targeted enterprise victim pays its significantly inflated SMS invoice, a rouge provider gives a portion of the profits to the fraudsters who initiated the attack.

Initially, it seemed that fraudulent SMS PIN code requests got sent to a small subset of premium numbers where each SMS message generated income for the hacker but the fact that most of the phone numbers targeted aren’t actually premium numbers (where an income can be generated) leads us to believe that these hackers aren’t in it for financial gain. Instead, they want to cause financial harm to companies – or they’re simply ‘bored’ and want to exploit businesses for ‘fun’.

What to do?

A good approach to help you spot SMS PIN spam fraud is to check whether text messages are being requested to countries where your company doesn’t typically operate.

Presenting CAPTCHA each time someone requests a PIN code via SMS on your website or application is the best way to avoid two-factor authentication PIN code attacks.

While this is an extra step for real users, it will eliminate the possibility of someone running a spam bot attack and continuously requesting PIN codes to different phone numbers. A single person requesting PIN codes to different numbers and completing CAPTCHA would be simply too time-consuming for a hacker.

Another thing you could try is to set a limit on the number of SMS requests per IP address or per session. So, if a hacker tries to request more than five SMS PIN code requests from the same IP within, say, 30 minutes, all additional requests could be rejected internally.

While public IP addresses can be spoofed, potential hackers would need to switch IP addresses after a set number of requests – which would be a lot of hassle.


Vill du att vi kontaktar dig?

Lämna dina kontaktuppgifter nedan, så hör vi av oss till dig. Denna kontaktväg är enbart för dig som är intresserad av Sergels tjänster. Om du har fått ett inkassokrav kan du inte kontakta oss via formuläret nedan. I så fall behöver du logga in på Mina Sidor och skicka ett meddelande därifrån.