AIT – Artificial Inflation of Traffic is a type of fraud committed via mobile networks which generates huge amounts of fake traffic that can cost companies millions of pounds of lost revenue, but it can make others millions too.
So how does it work?
The scam typically involves someone building a series of bots to create thousands, if not millions of accounts on an app, or other such web-based platform.
These bot-run accounts then trigger the One-Time Passcode (OTP) to force the app to generate an SMS message for the user account creation process.
The operator of the app will now be charged the price of an SMS message, if this were a real account, the owner would expect to receive that cost back in revenue from the user of the app via advert placement, or other such mechanisms. However, because the account is being run by a bot, the app owner will never get any revenue as the bot simply scraps the account and generates a new one.
This scam can be used to achieve different goals.
If the goal is simply to ensure the app owner suffers financially, the attack simply works as described above – generate loads of SMS requests, see the app owner pay a huge bill – This could be enough to see the app owner go out of business.
If the goal of the attackers is to make money however, then another few steps are required.
Firstly, the scammers need to either work with a telecoms operator to split the payments made by the app owner, or have a gang member on the inside of the telco network who can intercept the SMS data.
If the telco is in cahoots with the gang, they will charge the app owner the SMS fees, but then wont send the messages to the destination numbers.
$60M dollar fraud against Twitter
When Elon Musk bought Twitter, he became quickly aware of the costs of AIT. In January of 2023, he posted a statement about fraudulent AIT traffic costing his newly-acquired company $60M every year…
…I discovered this, basically, about 10 days ago, that Twitter was being scammed to the tune of 60 million dollars a year for SMS texts, not counting North America… Basically, there are telcos who are not being super honest out there, in other parts of the world, who were basically gaming the system and running, like, two-factor authentication SMS texts over and over again, and just creating a zillion bot accounts to literally run up the tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.
Elon Musk – Owner of Twitter
After investigating the number of telecoms companies who were billing Twitter for these fake SMS messages, he discovered how large the problem was – there were 390 companies billing Twitter for AIT.
His response was to crack down on bot accounts, but also to block traffic to any telco found to be blatantly committing fraud against his company.
Some companies turn a blind eye
It is widely known that some organisations ignore the obviously fake accounts their platforms have. The reason being is that it makes the companies look more profitable than they really are, which in turn drives up the share price of the companies, and executives get a higher return.
Telcos can also lose out to AIT
Although some telecommunications companies are in cahoots with scammers to make money out of AIT, others are losing out to the fraud.
The regulations surrounding SMS messaging identifies two types of communications channels – Application to Person (A2P), and Person to Person (P2P). These channels are monetised differently, but also cause changes to how data is routed through networks.
Typically, A2P messages are charged at a much higher rate than P2P messages, but also A2P messages undergo more scrutiny when it comes to routing of the data to ensure spam messages dont floow people’s inboxes.
This difference in how the two types of messages are handled has led to a number of AIT scams utilising what are known as grey routes.
What is a grey route?
There are actually a number of ways grey routes can be used, but in essence a grey route is one where A2P data is transmitted, but it is in some way masked as a P2P message, allowing data to be sent at a cheaper rate that that which it would normally be.
One example of this is with international messaging. In this scam, an unscrupulous international telco can use a local aggregator that sends A2P traffic in your country at the lower national rate to avoid paying you in full for the service you’re providing to them.
They bulk receive A2P data to an in country aggregator and bill the sending telco at the international rate, however, they then send the data on as national traffic, thus being charged by other telcos at the local rate – they then profit on the difference in the charges.
Masked messages are another scam conducted by unscrupulous telcos. When agreeing on a communications partnership, most telcos will strike deals that effectively allow for the free exchange of a pre-agreed amount of data – so for example, two telcos might agree that they will not bill for the 1st 5 million P2P messages sent every month as both will be sending the same amount of data.
The deal will be different though for A2P messaging.
The unscrupulous telco might then decide to mask half of its A2P data as P2P, thus avoiding the higher charges.
SIM boxes are another popular scamming tool for telco AIT fraud.
In this example, a scammer has a box equipped with hundreds of cheap pre-paid SIM (which often have a bundle of free-message allowances) and use this to receive thousands of A2P messages which are then converted to P2P messages and forwarded on. In this type of fraus, the scammers pay less to deliver A2P messages, but also have the ability to get their A2P messages through security scanners which would otherwise block A2P spam.
A huge problem
As seen in these example, AIT fraud is a huge problem fro all concerned. App developers and owners suffer, telcos suffer, business suffer, and consumers suffer. It is estimated that AIT fraud will cost telcos around the world $37.1B in the next 3 years alone.
The NCSC has recently updated its guidance to telco operators, and business owners which decide to use SMS as part of their business strategy on how to ensure their organisations SMS messages are effective and trustworthy.
