Artificial Inflation of Traffic

Learn more about AIT.

Understanding Artificial Inflation of Traffic:

AIT is a form of SMS fraud that involves the generation of a substantial volume of fake traffic through mobile applications or websites. Reviewing research shared at the MEF Global Forum identified AIT as one of the significant threats that impacted messaging in 2022, alongside grey routes and SMS phishing. Projections suggest that AIT will take a leading role in 2023.

How Artificial Inflation of Traffic works:

In essence, AIT is orchestrated by automated bots, which trigger processes like sign-ups, logins, or password resets on websites to obtain One-Time Password (OTP) codes. These codes are sent via SMS to mobile numbers that the fraudsters have a vested interest in generating traffic towards. It's important to note that these incidents don't typically occur due to leaked API keys, compromised credentials, or security vulnerabilities. Instead, the fraudsters exploit vulnerabilities within a customer's website to repeatedly send SMS messages. These vulnerabilities are commonly found in web forms and mobile apps, which can trigger Application-to-Person (A2P) SMS for various purposes, such as:

  • SMS-based login or sign-up.
  • Password reset via SMS.
  • Sign-up via SMS with two-factor authentication.
  • Change Settings or MSISDN for two-factor authentication.
  • Sending an SMS containing an App Store link.

A typical AIT scenario unfolds as follows:

  1. A fraudster either develops or procures a bot capable of generating fake accounts.
  2. The fraudster identifies a vulnerable process and deploys the bot, which then triggers OTP messages to legitimate mobile numbers.
  3. The fraudster profits from this malicious activity.
  4. This scam can be repeated ad infinitum.
  5. The financial responsibility for these SMS messages falls upon the account owner that unwittingly sent them. Often, these SMS messages are directed to mobile networks in distant countries with high SMS costs, compounding the financial burden.

Best Practices for Defending Against AIT:

While there isn't a one-size-fits-all strategy to combat AIT, customers can adopt several preventive and detective measures to significantly reduce the risk of fraudulent attacks:

  • Monitor Unusual Outgoing Message Volumes: Implement additional checks on IP addresses, user accounts, or device identifiers during the account creation process. This can help identify suspicious behaviours and enable swift action before a fraudster can request an SMS message to be sent.
  • Monitor OTP SMS Conversion Rates (CR): In many instances, perpetrators struggle to maintain high CRs with AIT.
  • Enforce Message Rate Limits: Ensure your application doesn't send more than one message per specified time interval to the same mobile number range or prefix.
  • Implement Rate Limits: Apply restrictions to limit the number of messages sent from a single user, IP address, or device within a certain timeframe.
  • Disable Messaging to Unused Destinations: Prevent sending messages to countries where your brand doesn't operate, as AIT incidents are more likely to occur there.
  • Employ CAPTCHA and Similar Tools: Utilise CAPTCHA and other similar mechanisms to thwart bot-driven attacks.

What to Do if You Suspect AIT on Your Account:

If you suspect an AIT attack on your account, please reach out to us at [email protected] for further assistance.