AIT Fraud: Minimise Your Risk

AIT Risk Summary

Costs associated with an AIT attack can quickly escalate to many thousands of dollars. AIT risk applies to operators of websites or apps allowing users to trigger SMS delivery. If your organisation operates such a service we recommend you read this article and undertake your own risk assessment.

What is AIT?

Artificially Inflated Traffic (AIT) is a type of SMS fraud where SMS traffic is generated by a malicious actor, this is also called “SMS pumping”. AIT is used to increase the revenue of companies that handle the delivery of SMS messages like aggregators and telcos, it’s also sometimes used to manipulate metrics as part of a broader strategy such as price negotiations between aggregators. This is different to traditional SMS scams like SMS phishing where the target is the recipient of the SMS.  AIT is purely about message volume and the victim is the business inadvertently sending the messages.  The content of the messages is not important however the hacker must be able to set the destination which allows them to effectively control enough of the routing to achieve their objectives.

As SMS messages incur a cost this type of fraud can lead to substantial financial damages for impacted businesses. Elon Musk claimed in 2022 that X (Twitter) “was being scammed to the tune of 60 million dollars a year for SMS texts”.

If you run a website or an app that sends SMS messages you’ll be connected to an SMS supplier. This company won’t deliver they messages directly to handsets, each message will pass through a number of different aggregators and carriers before reaching the destination handset. Even if you trust your supplier they won’t have full control of the routing and your message may pass through a carrier that’s colluding with a hacker to profit from AIT. 

AIT traffic tends to be sent to high cost destinations and to countries where the carriers may be bribed to turn a blind eye to the fraud.

What are the vulnerabilities?

A typical AIT attack will involve something on the public internet that can be used to trigger an SMS message to an individual (A2P messaging), an example is a signup form that includes mobile number confirmation via an OTP delivered by SMS. Here a hacker can fill out the form, include their destination of choice and trigger the message. In practice this would be done repeatedly with a script to generate a high volume of SMS traffic in a short period of time. Anything that allows a hacker to generate traffic and control the destination is a potential vulnerability.

In some cases the hacker doesn’t explicitly control the destination number, they may have purchased a list of account details for a service, found those with suitable mobile numbers and repeatedly triggered OTP messages to those destinations.

Protection from AIT

If you have a website or app that uses A2P messaging that might be vulnerable to AIT attacks there are a few simple things you can do to help keep you safe. The internet is a big place and there are plenty of easy AIT targets so a small measure that makes you a difficult target may be enough.

  • Block traffic to countries you don’t need to deliver to. If this is an option for you it’s probably the easiest and most effective step to take.
  • Block repeat messages to the same destination, this is a characteristic of an unsophisticated AIT attack.
  • Block repeat requests from the same IP address, this usually means the requests are from a bot.
  • Block spikes of traffic to countries you don’t normally deliver to.
  • Block runs of messages to sequential or nearly sequential numbers.
  • Implement measures to prevent bots submitting your forms like Captchas, honeypot fields and timing checks.
  • Implement a message rate limit. This will not stop AIT but may greatly reduce the damage done by an attack.
  • Implement daily or hourly traffic limits. Again, this is damage control but it may prevent a large cost to your business.
Chris Lewis
Author: Chris Lewis