The rise of AIT scams: how fraudsters are undermining text passcodes

As if there weren't enough issues for CISOs and other senior security leaders to contend with, from intrusions to vulnerabilities to ransomware, another threat is lurking that is virtually invisible, can damage a company's reputation, break customer trust, and quietly siphon away revenue -- the artificial inflation of traffic (AIT) scam.

Also known as SMS traffic-pumping scams, AITs are a form of cybercrime in which cybercriminals identify targets with a non- or low-protected phone number input field that distributes one-time passcodes (OTPs), app download links, or other content via text messages. They're insidious and they're on the rise.

Here's how they work, according to Roger Albrecht, partner and co-leader of cybersecurity with global technology research and advisory firm ISG:

• A cybercriminal develops a bot designed to create fake accounts on a web service or app.
• The cybercriminal collaborates with a rogue party to intercept the artificially inflated traffic without delivering the messages to their intended recipients. A small mobile network operator (MNO) might be a collaborator as a rogue party.
• The bot triggers the delivery of one-time passcode SMS messages to various mobile numbers.
• The rogue party suppresses the delivery of the content.
• The cybercriminal and the rogue party share the generated revenues and continue the cycle to further inflate revenues or manipulate conversion statistics, enhancing their illicit gains.

"What makes AIT scams challenging is that they can be hard to detect and prevent, as they often involve sophisticated techniques to mimic real user behavior," says Nigel Gibbons, director and senior advisor at security consulting firm NCC Group. "They also pose a significant financial threat to advertisers, content providers, and telecoms that may end up paying significantly for worthless traffic or engagement."

Why there is an increase in AIT fraud?

Many factors are contributing to an increase in AIT scams. The most basic driver is the potential for financial gain, Gibbons says. Whether it’s through inflated ad revenues, increased inter-carrier compensation, or higher fees for influencers, the potential rewards for successful AIT scams can be substantial.

And the escalating costs of application-to-person (A2P) SMS services have made the profit potential of AIT scams increasingly enticing to cybercriminals, Albrecht says. "Some cybercriminals even utilize the proceeds from AIT schemes to fund legitimate SMS traffic, leveraging the profitability of AIT to offset costs."

The development of more sophisticated bots and software makes it easier for fraudsters to mimic real user behavior and avoid detection, Gibbons says. And these systems are being commercialized as software-as-a-service solutions and made available to non-technical users and traditional organized crime gangs. 

Additionally, AIT fraud presents difficulties in identification due to its lack of regulation within common SMS agreements and regulatory frameworks, Albrecht says. "This allows AIT to circumvent MNO's firewalls, as one-time passcodes used in AIT scams are not typically flagged as spam or prohibited content."

What is the impact of AIT fraud?

AIT scams can lead to financial losses for app developers who unwittingly facilitate fraudulent activity. Increased traffic from the scam can result in inflated costs for SMS services or revenue-sharing agreements, impacting the app's profitability, says Albrecht. In February, Elon Musk claimed Twitter lost $60 million a year due to AIT-based scams.

Consequently, Twitter removed two-factor authentication (2FA) via text because of these attacks, except for verified Twitter Blue users, to save money by limiting 2FA SMS use to subscription customers only.

AIT is a problem for businesses because it raises the A2P costs at the expense of the enterprise, says Lee Suker, head of authentication and number information at Stockholm-based Sinch. Not only that but sending too many one-time passcodes to consumers drives mistrust and can ultimately reflect poorly on a company's reputation. In addition, cybercriminals exploit the infrastructure provided by MNOs to carry out their fraudulent activities, resulting in revenue being shared with the cybercriminals, according to Albrecht. As SMS rates continue to rise, businesses may seek alternative authentication methods, reducing the demand for A2P SMS services and causing revenue loss for MNOs.

AIT scams can also have a detrimental effect on the reputation of businesses, Albrecht says. When users receive multiple OTPs that they didn’t request, it raises doubts about the legitimacy and compliance of the organizations involved.

"This can lead to a loss of trust from customers who may question the integrity of the affected apps and the MNOs associated with the fraudulent activities," Albrecht says. "The negative perception and potential negative publicity resulting from such scams can cause a decline in user confidence and adversely impact the reputation of the businesses involved."

Why CISOs should care about AIT fraud   

While it may not represent a direct attack or intrusion into a system or network, AIT fraud impacts not just the marketing department or the bottom line but an entire organization. That means it's important for CISOs and chief security officers CSOs to be vigilant for the signs of AIT fraud because they play vital roles in protecting their organizations’ information and assets, Gibbons says.

"AIT is a direct threat to these responsibilities and can have serious consequences," Gibbons says. "As such, it’s something that should be on the radar of every CISO and CSO because [these attacks] can have a financial impact on your company, increase reputational and security risks, and affect data integrity, regulatory compliance and customer relationships and trust. Given these reasons, it’s clear that AIT fraud falls within the purview of CISOs and CSOs."

Not only can AIT scams result in significant financial losses for an organization, but they can also interfere with compliance with data privacy and security laws, says Avani Desai, CEO of Schellman, a cybersecurity assessment firm. "As the CISO is responsible for managing and mitigating financial risks related to cybersecurity, this becomes a risk they need to mitigate," she says.

And to ensure the integrity of SMS communications and protect against AIT scams, CISOs and CSOs should prioritize the security of their companies’ mobile channels by implementing strong controls, monitoring systems, and user verification processes, according to Albrecht. And they need to improve the collaboration with app developers and MNOs to share information, best practices, and countermeasures to combat AIT scams collectively.

Awareness is the first step in combatting AIT scams

"By staying informed about emerging threats, such as AIT scams, CISOs and CSOs can proactively assess risks, implement appropriate controls, and allocate resources to mitigate the financial and reputational impacts of these scams,” Albrecht says.

Mandy Andress, chief information security officer at Elastic NV, agrees that CISOs should be concerned about these types of scams. Traffic pumping isn't taking advantage of a security flaw, per se, but it is concerned with taking advantage of how easy it is to create new accounts, she says. And attackers could leverage that process for different types of malicious activities, depending on the service availability.

"From a security perspective, the focus would be on the authentication and the new account creation process and not relying solely on SMS -- which has been proven to be the most insecure -- and instead use multifactor authentication or other approaches," Andress says. "This would take away the ability for this type of scam to be successful and at the same time help to improve the security for your customers in their accounts."

Best practices for reducing SMS AIT fraud

This is often a complex process that requires a multifaceted approach that involves detection, prevention, and response strategies, Gibbons says. No single strategy is completely foolproof -- the key is to build a strong, multilayered defense that includes:

• Regular audits: Companies should conduct regular audits of their mobile traffic and advertising campaigns and look for any inconsistencies or irregularities in their data.
• Skills and awareness: Ensure that teams understand the risks and signs of AIT scams. An educated team is better equipped to spot potential fraud and take action.
• User behavior analysis: Understand the behavior of legitimate users to better spot when something is out of the ordinary. This will help distinguish between genuine and fraudulent traffic. The challenge for businesses here is their maturity, as few have this granular level of certainty. 
• Trustworthy ad networks: For businesses engaged in digital advertising, it’s crucial to partner with ad networks known for taking proactive measures against fraud. These networks have strong systems in place to identify and mitigate AIT scams.

Yale Fox, a member of the Institute of Electrical and Electronics Engineers, offers these best practices to mitigate mobile SMS AIT fraud:

• Blocking bots: Bots are often used in fraudulent activities to mimic human behavior and generate fake traffic. Blocking bots by default, particularly those that do not identify themselves, can effectively reduce fraudulent traffic. Organizations should maintain lists of user-agents that are allowed to crawl their sites and actively update those lists as new, legitimate bots emerge.
• reCAPTCHAv2: This service can help distinguish between human users and bots. It presents tasks that are easy for humans but difficult for bots. Implementing reCAPTCHAv2 on mobile apps, particularly on forms and other interactive elements, can drastically reduce bot activity.
• Rate limiting: This involves setting a limit on the number of requests a user or IP address can make within a certain timeframe. If the limit is exceeded, the user or IP is temporarily blocked. This technique can slow down or halt fraudulent traffic, especially from bots performing high-frequency activities.
• Device fingerprinting: This technique identifies and tracks devices based on their unique configurations, such as the operating system, browser version, installed fonts, etc. By doing this, companies can identify suspicious patterns or recurring fraudulent activity coming from the same device, even if they change their IP addresses or use VPNs.
• Honeypots: Honeypots are decoy systems or traps that appear as part of an organization’s network but are actually isolated and monitored. They are designed to lure in attackers, who waste their time and resources on the decoy while their actions are recorded and used to improve security measures.
• Switch to passkeys: This is the new standard that many major companies have adopted. It solves a number of problems, one of which is that there is no real password to leak as the password is always changing.

As technology continues to evolve and new forms of AIT fraud emerge, staying informed and up to date is fundamental, according to Gibbons. Continuous learning, adaptability, and vigilance are key to staying one step ahead of the fraudsters. 

"AIT fraud is a complex, pervasive issue that poses significant challenges for businesses, consumers, and society as a whole," Gibbons says. "However, by understanding the risks, taking proactive measures, and working together, these risks can be mitigated to create a safer, more trustworthy digital environment."