T1496.003 SMS Pumping

Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)

Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-06.01 Secure SDLC process Mitigates T1496.003 SMS Pumping
Comments
This diagnostic statement helps provides for secure development practices, such as implementing CAPTCHA protection on forms that send messages via SMS.
References
    PR.PS-06.07 Development and operational process alignment Mitigates T1496.003 SMS Pumping
    Comments
    This diagnostic statement protects against SMS Pumping through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      SC-05 Denial-of-service Protection mitigates T1496.003 SMS Pumping

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.malware.variety.Scan network Enumerating the state of the network related-to T1496.003 SMS Pumping
      action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496.003 SMS Pumping

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      microsoft_sentinel Microsoft Sentinel technique_scores T1496.003 SMS Pumping
      Comments
      The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
      References

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      security_command_center Security Command Center technique_scores T1496.003 SMS Pumping
      Comments
      SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
      References