Understanding IRSF Fraud: Protecting Against SMS Exploitation
This talk details the mechanics of International Revenue Share Fraud (IRSF), where attackers exploit SMS-based multi-factor authentication (MFA) and voice verification systems to generate fraudulent traffic to premium rate numbers. The speakers explain how attackers use automated scripts and email-tumbling techniques to create thousands of accounts, forcing businesses to pay for unauthorized SMS and voice calls. The presentation provides actionable mitigation strategies, including rate-limiting, restricting SMS-based MFA to specific regions, and using AI to detect suspicious account creation patterns. The session concludes with a framework for building an incident response playbook to detect and block these attacks in real-time.
How Attackers Turn Your SMS MFA Into a Multi-Million Dollar Revenue Stream
TLDR: International Revenue Share Fraud (IRSF) exploits SMS-based MFA and voice verification by forcing applications to trigger calls or texts to premium-rate international numbers. Attackers use email-tumbling and automated scripts to create thousands of accounts, effectively turning your infrastructure into a toll-fraud engine. Security teams must implement strict rate-limiting on MFA endpoints and restrict SMS delivery to known, safe country codes to prevent these massive financial losses.
Most security researchers treat SMS-based multi-factor authentication as a legacy nuisance, focusing their efforts on SIM swapping or interception. However, the real danger isn't just account takeover; it is the weaponization of your own infrastructure to generate illicit revenue. International Revenue Share Fraud (IRSF) is a sophisticated, automated attack that turns your application’s legitimate MFA flow into a toll-fraud machine. When an attacker forces your backend to send thousands of SMS messages or initiate voice calls to premium-rate numbers, the financial damage hits your balance sheet directly.
The Mechanics of the Toll-Fraud Engine
At its core, IRSF relies on the OWASP A07:2021 – Identification and Authentication Failures category, but with a financial twist. Attackers identify applications that offer SMS or voice-based MFA and then automate the account creation process. By using email-tumbling—a technique where attackers add periods or plus signs to an email address (e.g., user+1@example.com)—they bypass unique email constraints while ensuring all verification traffic hits the same inbox.
Once the account is created, the attacker triggers the MFA flow. The application, acting as a legitimate client, requests an SMS or voice call from a Twilio or similar CPaaS provider. The attacker has already colluded with a premium-rate number provider. When your application sends the verification code to that international number, the premium provider collects a termination fee. The attacker, the premium-rate provider, and the telecom operators all take a cut of the money your company is forced to pay.
Identifying the Attack Surface
During a penetration test, you should look for endpoints that trigger outbound communication without sufficient rate-limiting. If you can repeatedly hit an /sms-verify or /voice-verify endpoint with different phone numbers or by manipulating the request parameters, you have found a potential toll-fraud vector.
The attack flow typically looks like this:
# Example of a high-frequency trigger against an MFA endpoint
for i in {1..1000}; do
curl -X POST https://api.target-app.com/v1/auth/sms-verify \
-H "Content-Type: application/json" \
-d '{"phone_number": "+[PREMIUM_COUNTRY_CODE][RANDOM_NUMBER]", "user_id": "bot_'$i'"}'
done
If the application does not implement strict per-IP or per-user rate limits, the backend will dutifully process every request. In a production environment, this can result in thousands of dollars in charges over a single weekend. As noted in recent reports on IRSF, these attacks are not theoretical; they are a primary driver of financial loss for any company that relies on SMS for authentication.
Detection and Mitigation Strategies
Defending against IRSF requires moving beyond simple WAF rules. You need to monitor for traffic spikes on specific endpoints. If your normal traffic pattern for /sms-enroll is 50 requests per hour and you suddenly see 5,000, your monitoring system should trigger an immediate alert.
Tools like Datadog or Cloudflare are essential here. You should be grouping logs by user agent, IP address, and country. A sudden influx of traffic from a country where you have no legitimate user base is a massive red flag.
Mitigation must be multi-layered:
- Strict Rate Limiting: Implement rate limits not just on the IP level, but on the phone number and user account level. If a single IP address is requesting verification codes for multiple different phone numbers, block it.
- Geofencing: If your business only operates in the United States, there is no reason to allow SMS delivery to high-risk international country codes. Create a whitelist of allowed countries and drop all other requests at the application layer.
- AI-Driven Anomaly Detection: Use machine learning to analyze the attributes of new account signups. Attackers often use predictable patterns in their email addresses or metadata. If a batch of accounts is created with similar naming conventions or from suspicious email domains, flag them for manual review before allowing them to trigger any MFA events.
What to Do Next
The next time you are auditing an application, don't just look for ways to bypass the MFA code. Ask yourself: "How much does it cost the company if I trigger this code 10,000 times?" If the answer is "a lot," you have found a critical business logic vulnerability.
Document the lack of rate-limiting, demonstrate the ability to trigger multiple outbound requests, and push for a defensive strategy that includes geofencing and proactive monitoring. Your goal is to make the cost of the attack higher than the potential profit for the attacker. When you make the toll-fraud engine unprofitable, the attackers will move on to an easier target.
