T1496.003 SMS Pumping
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.2 SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.3
Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.21 In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.2
| Item | Value |
|---|---|
| ID | T1496.003 |
| Sub-techniques | T1496.001, T1496.002, T1496.003, T1496.004 |
| Tactics | TA0040 |
| Platforms | SaaS |
| Version | 1.0 |
| Created | 25 September 2024 |
| Last Modified | 15 April 2025 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Consider implementing CAPTCHA protection on forms that send messages via SMS. |
References
-
Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024. ↩
-
Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to Stop It. Retrieved September 25, 2024. ↩↩↩
-
Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September 25, 2024. ↩