On May 27, I woke up to an email that said “Your Twilio account is suspended and will continue to be charged”. Top of the morning!
I then found out that for the past ~12 hours, somebody had been mass-creating accounts on Healthchecks.io and sending 5 SMS messages (the allowed limit for free accounts) from each. By the time I found out, they had sent ~8000 messages to random Moroccan phone numbers and added ~$1800 to our Twilio bill. The Twilio account is configured to automatically add funds from our payment card in $250 increments when funds run low. This had been going on for a while until the card’s daily spending limit was reached and an auto-recharge failed. The funds then ran out completely, and the Twilio account got suspended.
First things first:
- I changed the SMS limit for future free accounts from 5 to 0;
- I deleted the mass-created accounts;
- I added funds to the Twilio account to get SMS, WhatsApp, and phone call notifications working again.
Then I went through the logs to better understand what had happened.
- The attacker was running an automated process which registers an account, creates a SMS integration, then sends 5 test notifications. Rinse and repeat.
- The accounts were registered to @wshu.net email addresses (wshu.net seems to be a disposable email service).
- Healthchecks.io rate-limits account sign-ups by IP address. The attacker was cycling through VPN IP addresses to avoid the rate limit.
- Healthchecks.io rate-limits SMS notifications by phone number. The attacker was using a different Moroccan (+212) phone number for each account. It is possible Morocco does not have any special meaning here, except that SMS fees for Morocco are higher than average ($0.22/SMS).
- They started slow but later ramped up account creation and SMS sending:
- Attacker’s HTTP requests used a standard Chrome user agent string.
- Interestingly, there was at least one @wshu.net account that fits the overall pattern but has a non-Moroccan phone number. Perhaps this is a real phone number, and the attacker used it to check if SMS messages really arrive.
I submitted a request to Twilio to refund the fraudulent charges. After confirming I had fixed the attack vector (free users cannot send any SMS any more), tightened geo permissions, and enabled SMS pumping protection, Twilio graciously agreed to issue refund credit for the full amount. Thanks, Twilio!
This is the first time that someone has performed an attack specifically designed for Healthchecks.io. I do not know what their motivation was. Maybe they were trying to teach me a lesson that it is cheaper to have a bug bounty program. Anyway. All is well that ends well 🙂
Happy monitoring!
Pēteris