|
Resource Hijacking: SMS Pumping
Other sub-techniques of Resource Hijacking (7)
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability. SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victims messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.
Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.
AWS Specific Content
A prerequisite for this technique is that a threat actor has identified an Amazon Cognito environment that is not protected by WAF or Protect Configurations
SMS Pumping is a type of telecommunications fraud where a threat actor purchases a block of high-rate phone numbers from a telecom provider and then coerces unsuspecting services into sending SMS messages to those numbers. An unauthorized user can abuse the SMS and text messaging capability of Amazon Cognito's user pool sign up process to send a high volume of SMS messages to the telecom provider.
Detection
Review or monitor CloudTrail event history for numerous SignUp API calls. Create a CloudWatch Events rule to match the AWS API call specified. Excessive billing may also provide indications of this technique being utilized.AWS Specific Content
For Amazon Cognito, you can monitor for large numbers of SMS based OTP (One-Time Password) flows where there is a number of incomplete verification cycles that exceed the regular baseline. Review or monitor CloudTrail event history for an excessive number of
SignUp API calls and a disproportionately lower number of ConfirmSignUp API calls. Similarly, you can apply this observability towards the user password reset flow by analyzing the ForgotPassword API and ConfirmForgotPassword API operations for deviations. Excessive billing may also provide indications of this technique being utilized. For additional information on how to detect this technique, refer to the Detect SMS pumping section in this article.| ID | Data Source | Data Component | Description |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content | Monitor for excessive use of SMS services, especially in public sign-up forms. For example, alert on large quantities of messages sent to adjacent numbers. In SMS-based OTP flows, monitor for large quantities of incomplete verification cycles. In Amazon Cognito environments, monitor for spikes in calls to the SignUp or ResendConfirmationCode API. For additional information, click (here)[https://aws.amazon.com/blogs/security/reduce-risks-of-user-sign-up-fraud-and-sms-pumping-with-amazon-cognito-user-pools/]. |
Mitigation
Consider implementing CAPTCHA protection on forms that send messages via SMS.AWS Specific Content
Implementing bot mitigation techniques, such as CAPTCHA, can be effective in preventing simple bots from pumping user creation flows. You can integrate a CAPTCHA framework on your application’s frontend and validate that the client initiating the sign-up request is operated by a human user. If the user has passed the verification, you then pass the CAPTCHA user response token in
ClientMetadata together with user attributes to an Amazon Cognito SignUp API call. As part of the sign-up process, Cognito invokes an AWS Lambda function called pre sign-up Lambda trigger, which you can use to reject sign-up requests if there isn’t a valid CAPTCHA token presented. This will slow down bots and help reduce unintended account creation in your Cognito user pool.Another layer of mitigation is to identify the threat actor’s phone number early in your application’s sign-up process. You can validate the user provided phone number in the backend to catch incorrectly formatted phone numbers and add logic to help filter out unwanted phone numbers prior to sending text messages. Amazon Pinpoint offers a Phone Number Validate feature that can help you determine if a user-provided phone number is valid, determine phone number type (such as mobile, landline, or VoIP), and identify the country and service provider the phone number is associated with. The returned phone number metadata can be used to decide whether the user will continue the sign-up process and send an SMS message to that user. Note that there’s an additional charge for using the phone number validation service. For more information, see Amazon Pinpoint pricing.
Threat actors often purchase blocks of cell phone numbers from a wireless service provider and use phone numbers with the same area code. If you are able to observe a pattern and identify that these attempts use the same area code, you can modify your pre sign-up Lambda function to reject sign-up requests containing those area code patterns.
Web ACL rules within AWS WAF can use a regular expression to match the JA3 hash utilized by the threat actor. Based on these matches, AWS WAF can then apply block statements to this traffic. For further detail on how to mitigate this technique using AWS WAF rules, refer to the Apply AWS WAF rules as mitigation approaches section in this article. You can also use protect configurations in AWS End User Messaging SMS which provide you with granular control over which countries you allow messages to be sent to, and block the countries you don't operate in. For more information on how to configure protect configurations, click here.