$10B SMS Fraud Bypasses Cloud Security - Why Finance Finds Out Too Late

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Understanding a $10B Fraud Vector in Cloud-Native Workflows (continue reading) 

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

As cloud-native architectures become increasingly complex, we're seeing sophisticated threat actors exploit the intersection of traditional fraud vectors and modern cloud infrastructure. This week, we dive deep into SMS fraud and AI-weaponized attacks with Frank Teruel, a cybersecurity veteran from Arkose Labs who protects some of the world's largest consumer-facing brands.

📰 TL;DR for Busy Readers

• 💸 $10B in hidden SMS fraud hits finance teams months later — not security.

• 🤖 AI “smart bots” surged 500% in a year, writing real-time attack scripts.

• ☁️ Cloud elasticity amplifies fraud → $500K+ weekend bills from crypto mining.

• 🚨 Traditional security misses it — bots abandon flows before detection.

• 🔗 Fix requires finance + marketing + security data fusion.

📎 Full analysis & expert insights below

📰 THIS WEEK'S SECURITY HEADLINES

🚨 Major M&A: Accenture's Largest Cybersecurity Acquisition

Accenture announced its agreement to acquire CyberCX, a leading privately-owned cybersecurity services provider across Australia, New Zealand and internationally. This represents Accenture's largest cybersecurity acquisition to date, bringing approximately 1,400 specialized professionals into their Asia Pacific operations.

Why it matters: This acquisition highlights ongoing consolidation in the cybersecurity services market, particularly in Asia-Pacific regions where regulatory complexity demands integrated cloud security expertise. For cloud security leaders, this signals increasing demand for services that can support hybrid and multi-cloud environments across diverse regulatory landscapes.

Source: Accenture Newsroom

⚔️ DripDropper Malware Self-Patches After Exploitation

Threat actors are exploiting a nearly two-year-old Apache ActiveMQ vulnerability (CVE-2023-46604) to deploy DripDropper malware on cloud Linux systems. In an unusual twist, attackers patch the vulnerability after gaining access to prevent other threat actors from using the same entry point.

Why it matters: This represents a sophisticated evolution in threat tactics where adversaries close their own attack vectors to maintain exclusive access and avoid detection by vulnerability scanners. The behavior demonstrates how attackers are becoming more strategic about persistence in cloud environments, making traditional patch management and vulnerability scanning insufficient.

Sources: The Hacker News, Red Canary

🤖 PromptFix Attack Bypasses AI Browser Safeguards

Cybersecurity researchers demonstrated a new prompt injection technique called PromptFix that tricks AI models into performing actions by embedding malicious instructions inside fake CAPTCHA checks. The attack successfully deceives AI-driven browsers like Perplexity's Comet into downloading malicious payloads without user knowledge.

Why it matters: As enterprises adopt AI-powered automation tools, this represents a new class of attack vectors that traditional security controls cannot address. Cloud security teams need to reassess AI security controls and implement specialized detection mechanisms for prompt injection attacks that could compromise AI agents operating within cloud environments.

Source: The Hacker News

🔐 Microsoft August Patch Tuesday Addresses Kerberos Zero-Day

Microsoft released fixes for 111 security flaws, including one publicly disclosed zero-day. The update addresses 16 Critical and 92 Important vulnerabilities, with 44 related to privilege escalation and 35 to remote code execution.

Why it matters: The presence of a publicly disclosed zero-day alongside multiple privilege escalation vulnerabilities demands immediate attention from cloud security teams managing hybrid environments. Organizations using Windows Server components in cloud deployments should prioritize patches addressing authentication vulnerabilities like CVE-2025-50154, an NTLM hash disclosure vulnerability.

Sources: The Hacker News, BleepingComputer

🎯 AgentFlayer Exploits Enterprise AI Tools

Researchers at Black Hat USA demonstrated zero-click exploit chains dubbed AgentFlayer affecting popular enterprise AI tools including ChatGPT, Copilot Studio, Cursor with Jira MCP, Salesforce Einstein, Google Gemini, and Microsoft Copilot.

Why it matters: These working exploits demonstrate how AI agents create new attack surfaces that bypass traditional security controls. As Michael Bargury from Zenity noted, attackers can "silently hijack AI agents to exfiltrate sensitive data, impersonate users, manipulate critical workflows, and move across enterprise systems, bypassing the human entirely." Cloud security teams must implement specialized monitoring for AI agent workflows.

Source: CSO Online

🎯 Cloud Security Topic of the Week:

The Hidden $10 Billion Problem: How SMS Fraud Bypasses Cloud Security Teams [Watch/Listen Full Episode here]

Featured Experts This Week 🎤

• Frank Teruel - Cybersecurity Executive, COO, Arkose Labs 

• Ashish Rajan - CISO | Host, Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

• SMS Toll Fraud: A $10 billion annual fraud where attackers use bots to initiate registration flows requiring SMS verification, then abandon the process before completion. Organizations pay premium SMS fees to international carriers without realizing they're under attack.

• Smart Bots: AI-powered bots that write attack scripts in real-time, representing a 500% year-over-year increase. Unlike traditional "dumb bots" that require manual scripting, smart bots adapt and evolve attack strategies automatically.

• International Revenue Sharing Fraud (IRSF): The technical term for SMS toll fraud, where attackers collaborate with international carriers to share revenue from premium-rate SMS messages sent during fake registration attempts.

• Crime-as-a-Service (CaaS): Multi-billion dollar business platforms where attackers can purchase sophisticated fraud tools, including bots, phishing kits, and infrastructure, often for monthly service fees.

This week's issue is sponsored by Vanta.

Vanta Trust Maturity Report

Vanta’s Trust Maturity Report benchmarks security programs across 11,000+ companies using anonymized platform data. Grounded in the NIST Cybersecurity Framework, it maps organizations into four maturity tiers: Partial, Risk-Informed, Repeatable, and Adaptive.

The report highlights key trends:.

• ^{Only 43% of Partial-tier orgs conduct risk assessments (vs. 100% at higher tiers)}

• ^{92% of Repeatable orgs monitor threats continuously}

• ^{71% of Adaptive orgs leverage AI in their security stack}

   

  📤 Download the report

💡Our Insights from this Practitioner 🔍

The Invisible $10 Billion Attack Vector

Frank Teruel reveals a staggering reality that most cloud security teams are completely unaware of: "SMS toll fraud's a $10 billion a year industry. And what happens is, five or six months later, some finance person goes to the marketing person and goes, 'Hey, your campaigns must be working really well because the SMS bill's gone up by 5 million bucks.'"

This attack vector is particularly insidious because it never triggers traditional security controls. The fraud occurs at the very beginning of registration flows where users enter their phone numbers for SMS verification. Attackers use bots to submit millions of premium international phone numbers, triggering expensive SMS charges, then abandon the registration before completing any account takeover attempts.

Why Cloud Environments Amplify Fraud Impact

Cloud-native architectures inadvertently create perfect conditions for fraud amplification. Teruel explains the psychological sophistication of modern attackers: "They're better psychologists than technologists, right? They know how to get people to respond to stimulus... If you make fraud unprofitable, it will go away. If you make it profitable, you make it inevitable."

The elasticity and global reach of cloud platforms make them attractive targets for several reasons:

• Scale enablement: Cloud infrastructure allows attackers to process millions of fraudulent transactions in minutes

• Geographic exploitation: Attackers leverage cloud regions near premium-rate number countries for faster processing

• Cost obfuscation: Cloud billing complexity makes it difficult to quickly identify fraudulent charges

The Evolution to AI-Powered Attack Automation

Perhaps the most concerning development Teruel discusses is the emergence of smart bots powered by AI. "We've seen an increase in smart bots. It's over 500% year over year where you've got human fraud farms interacting with what we call dumb bots or scouting bots, and then the smart bots that are really the machines that are interacting contextually with these flows."

This represents a fundamental shift in threat actor capabilities. Where attackers previously spent days or weeks writing attack scripts, AI now enables real-time script generation and adaptation. As Teruel notes: "If we were having this conversation five years ago, Ashish, you and I, if we were on the adversarial side, we'd be at a terminal writing scripts, right? We'd have to write the software. And that could take you a day. It could take you a week. Today it's being written in real time."

Cloud Infrastructure as Crypto Mining Targets

Teruel shares a particularly eye-opening example of how cloud environments become targets for resource theft: "One of their containers was taken over on the cloud for the sole purpose of mining crypto... over the course of a weekend, the VP of engineering shows up and goes, 'we just spent half a million dollars.'"

This attack pattern highlights a critical gap in cloud security monitoring. Organizations often lack correlation between unusual cloud spending patterns and security incidents, allowing attackers to exploit cloud resources for extended periods before detection.

Building Cross-Functional Fraud Detection Programs

For organizations looking to address these hidden threats, Teruel recommends a three-phase approach:

Phase 1: Vulnerability Assessment

• Map all SMS-enabled flows, including customer service callbacks

• Identify API footprints that could enable automated attacks

• Catalog cloud resources accessible to external registration systems

Phase 2: Cross-Functional Data Fusion Teruel emphasizes the critical importance of breaking down organizational silos: "The best way around that is for the security people, the marketing people, and the finance people to create data fusion shared data amongst themselves so that security, so marketing can say, 'wow, transaction abandonment's up 5% today. That's weird.' And finance can say, 'oh, coincidentally, SMS bill's up.'"

Phase 3: Continuous Monitoring and Benchmarking

• Establish baseline metrics for cloud costs and SMS usage

• Implement automated alerts for anomalous spending patterns

• Create rapid response protocols for suspected fraud incidents

The Strategic Imperative for Board-Level Attention

Teruel stresses that fraud prevention requires executive support: "This has to get elevated to the board. You need top-down support for this... This probably is the single biggest potential contingent liability an organization will face with cyber, because it's where you get the fastest, most impact and can devastate the organization quickly."

This perspective is particularly relevant for cloud security leaders who must articulate fraud risks in business terms. The hidden nature of SMS fraud and cloud resource hijacking makes them perfect examples of how security threats can create massive financial impact without triggering traditional security alerts.

Related Resources 📚

• OWASP Top 10 for LLM Applications 2025 - https://genai.owasp.org/llmrisk/

• CISA Known Exploited Vulnerabilities Catalog - https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• Arkose Labs State of Fraud Reports - https://www.arkoselabs.com/

• Microsoft Security Response Center on Prompt Injection - https://msrc.microsoft.com/blog/2025/07/how-microsoft-defends-against-indirect-prompt-injection-attacks/

Related Podcast Episodes 🎧

Question for you? (Reply to this email)

What cross-functional processes help you catch fraud early?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast