Wide-scale, opportunistic SMS pumping attacks target customer sign-up pages
A widespread SMS pumping campaign has been identified, targeting customer sign-up pages. The attackers, designated as O-UNC-036, use disposable email infrastructure and proxy services to launch high-volume, automated attacks against public API endpoints. Their objective is to create numerous accounts and trigger SMS messages to actor-controlled phone numbers, generating significant financial costs for target organizations. The attack pattern involves reconnaissance, infrastructure setup, and high-volume requests using known high-cost phone country codes. The campaign has been active since at least March 2024, affecting multiple tenants and organizations. Recommended protective measures include implementing FIDO Authentication, blocking suspicious domains and ASNs, and enhancing monitoring and response capabilities.
AI Analysis
Technical Summary
This threat describes a large-scale SMS pumping campaign conducted by the adversary group O-UNC-036. The attackers exploit customer sign-up pages that utilize SMS-based verification or notification by automating the creation of numerous fake accounts through public API endpoints. They employ disposable email addresses and proxy services to evade detection and rate limits, enabling high-volume, automated requests. The primary goal is to trigger SMS messages to phone numbers controlled by the attackers, thereby incurring substantial financial costs for the targeted organizations due to SMS fees. The attack lifecycle includes reconnaissance to identify vulnerable endpoints, setting up disposable email and proxy infrastructure, and launching high-frequency requests targeting phone numbers in countries with expensive SMS rates. The campaign has been ongoing since at least March 2024 and affects multiple tenants and organizations across various sectors. Indicators include a large list of suspicious disposable email domains used by the attackers. Recommended defenses focus on preventing automated account creation through strong authentication mechanisms such as FIDO, blocking known malicious domains and ASNs, and improving monitoring to detect unusual sign-up activity. This attack does not exploit a software vulnerability but abuses legitimate functionality at scale.
Potential Impact
The primary impact of this SMS pumping campaign is financial, as organizations incur high costs from sending large volumes of SMS messages to attacker-controlled numbers. This can lead to unexpected operational expenses and potential service disruptions if SMS gateways become overwhelmed or rate-limited. Additionally, the attack may degrade user experience by causing delays or failures in legitimate SMS delivery. Organizations relying on SMS for multi-factor authentication or user verification may face increased risk of service abuse and potential reputational damage. While the attack does not directly compromise user data confidentiality or system integrity, the financial strain and operational disruption can be significant, especially for companies with large user bases and public APIs. The abuse of disposable email and proxy infrastructure complicates detection and mitigation, increasing the burden on security teams. If left unmitigated, the campaign could lead to sustained financial losses and degraded service availability.
Mitigation Recommendations
1. Implement FIDO Authentication or other phishing-resistant multi-factor authentication methods to prevent automated account creation and reduce reliance on SMS-based verification. 2. Enforce strict rate limiting and anomaly detection on sign-up API endpoints to identify and block high-volume, suspicious requests. 3. Maintain and update blocklists of known disposable email domains and proxy ASNs to prevent registrations using these services. 4. Employ CAPTCHA or other challenge-response tests that are resistant to automation to filter out bot-driven sign-ups. 5. Monitor SMS sending patterns for unusual spikes, especially targeting high-cost country codes, and establish alerting mechanisms. 6. Collaborate with SMS gateway providers to implement fraud detection and blocking of suspicious message patterns. 7. Conduct regular threat intelligence updates to incorporate new indicators of compromise related to disposable email and proxy infrastructure. 8. Harden API authentication and consider requiring additional verification steps before sending SMS messages. 9. Educate development teams about the risks of exposing unauthenticated or poorly protected sign-up APIs. 10. Prepare incident response plans specifically addressing SMS pumping scenarios to enable rapid mitigation.
Affected Countries
United States, United Kingdom, Germany, France, India, Brazil, Australia, Canada, Japan, South Korea
Indicators of Compromise
- domain: 2mails1box.com
- domain: 300bucks.net
- domain: blueink.top
- domain: desumail.com
- domain: e-boss.xyz
- domain: e-mail.lol
- domain: echat.rest
- domain: electroletter.space
- domain: emailclub.net
- domain: energymail.org
- domain: gogomail.ink
- domain: gopostal.top
- domain: guesswho.click
- domain: homingpigeon.org
- domain: kakdela.net
- domain: letters.monster
- domain: lostspaceship.net
- domain: message.rest
- domain: mypost.lol
- domain: postalbro.com
- domain: protonbox.pro
- domain: rocketpost.org
- domain: sendme.digital
- domain: specialmail.online
- domain: ultramail.pro
- domain: whyusoserious.org
- domain: wirelicker.com
- domain: writeme.live
- domain: writemeplz.net
Wide-scale, opportunistic SMS pumping attacks target customer sign-up pages
Description
A widespread SMS pumping campaign has been identified, targeting customer sign-up pages. The attackers, designated as O-UNC-036, use disposable email infrastructure and proxy services to launch high-volume, automated attacks against public API endpoints. Their objective is to create numerous accounts and trigger SMS messages to actor-controlled phone numbers, generating significant financial costs for target organizations. The attack pattern involves reconnaissance, infrastructure setup, and high-volume requests using known high-cost phone country codes. The campaign has been active since at least March 2024, affecting multiple tenants and organizations. Recommended protective measures include implementing FIDO Authentication, blocking suspicious domains and ASNs, and enhancing monitoring and response capabilities.
AI-Powered Analysis
Technical Analysis
This threat describes a large-scale SMS pumping campaign conducted by the adversary group O-UNC-036. The attackers exploit customer sign-up pages that utilize SMS-based verification or notification by automating the creation of numerous fake accounts through public API endpoints. They employ disposable email addresses and proxy services to evade detection and rate limits, enabling high-volume, automated requests. The primary goal is to trigger SMS messages to phone numbers controlled by the attackers, thereby incurring substantial financial costs for the targeted organizations due to SMS fees. The attack lifecycle includes reconnaissance to identify vulnerable endpoints, setting up disposable email and proxy infrastructure, and launching high-frequency requests targeting phone numbers in countries with expensive SMS rates. The campaign has been ongoing since at least March 2024 and affects multiple tenants and organizations across various sectors. Indicators include a large list of suspicious disposable email domains used by the attackers. Recommended defenses focus on preventing automated account creation through strong authentication mechanisms such as FIDO, blocking known malicious domains and ASNs, and improving monitoring to detect unusual sign-up activity. This attack does not exploit a software vulnerability but abuses legitimate functionality at scale.
Potential Impact
The primary impact of this SMS pumping campaign is financial, as organizations incur high costs from sending large volumes of SMS messages to attacker-controlled numbers. This can lead to unexpected operational expenses and potential service disruptions if SMS gateways become overwhelmed or rate-limited. Additionally, the attack may degrade user experience by causing delays or failures in legitimate SMS delivery. Organizations relying on SMS for multi-factor authentication or user verification may face increased risk of service abuse and potential reputational damage. While the attack does not directly compromise user data confidentiality or system integrity, the financial strain and operational disruption can be significant, especially for companies with large user bases and public APIs. The abuse of disposable email and proxy infrastructure complicates detection and mitigation, increasing the burden on security teams. If left unmitigated, the campaign could lead to sustained financial losses and degraded service availability.
Mitigation Recommendations
1. Implement FIDO Authentication or other phishing-resistant multi-factor authentication methods to prevent automated account creation and reduce reliance on SMS-based verification. 2. Enforce strict rate limiting and anomaly detection on sign-up API endpoints to identify and block high-volume, suspicious requests. 3. Maintain and update blocklists of known disposable email domains and proxy ASNs to prevent registrations using these services. 4. Employ CAPTCHA or other challenge-response tests that are resistant to automation to filter out bot-driven sign-ups. 5. Monitor SMS sending patterns for unusual spikes, especially targeting high-cost country codes, and establish alerting mechanisms. 6. Collaborate with SMS gateway providers to implement fraud detection and blocking of suspicious message patterns. 7. Conduct regular threat intelligence updates to incorporate new indicators of compromise related to disposable email and proxy infrastructure. 8. Harden API authentication and consider requiring additional verification steps before sending SMS messages. 9. Educate development teams about the risks of exposing unauthenticated or poorly protected sign-up APIs. 10. Prepare incident response plans specifically addressing SMS pumping scenarios to enable rapid mitigation.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.okta.com/blog/threat-intelligence/opportunistic-sms-pumping-attacks-target-customer-sign-up-pages"]
- Adversary
- O-UNC-036
- Pulse Id
- 69b4567b03ea40d6ffd8a0f7
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain2mails1box.com | — | |
domain300bucks.net | — | |
domainblueink.top | — | |
domaindesumail.com | — | |
domaine-boss.xyz | — | |
domaine-mail.lol | — | |
domainechat.rest | — | |
domainelectroletter.space | — | |
domainemailclub.net | — | |
domainenergymail.org | — | |
domaingogomail.ink | — | |
domaingopostal.top | — | |
domainguesswho.click | — | |
domainhomingpigeon.org | — | |
domainkakdela.net | — | |
domainletters.monster | — | |
domainlostspaceship.net | — | |
domainmessage.rest | — | |
domainmypost.lol | — | |
domainpostalbro.com | — | |
domainprotonbox.pro | — | |
domainrocketpost.org | — | |
domainsendme.digital | — | |
domainspecialmail.online | — | |
domainultramail.pro | — | |
domainwhyusoserious.org | — | |
domainwirelicker.com | — | |
domainwriteme.live | — | |
domainwritemeplz.net | — |
Threat ID: 69b7d9569d4df451834af53e
Added to database: 3/16/2026, 10:20:06 AM
Last enriched: 3/16/2026, 10:35:16 AM
Last updated: 3/16/2026, 9:36:54 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.