The secrets of the black industry: the things about the "coding platform"

Introduction

The rapid development of Internet business has gradually penetrated into human life and has had a huge impact on the economy, culture and society. At the same time, Internet business security has become increasingly important. Just like the basic security facilities of network communication, firewalls, Internet business security also has its basic security facilities - image verification codes and SMS verification codes. In Internet business, graphic verification codes are widely used to distinguish between humans and machines, and SMS verification codes are used to filter low-value users and provide secondary verification functions.

As the basic security facilities of Internet business, picture verification code and SMS verification also face many challenges. Previously, we learned about the development and evolution, principles, advantages and disadvantages of verification codes through "The Past and Present of Verification Codes (Previous Life)" and "The Past and Present of Verification Codes (Present Life)". Today, this article will take you closer to the threats facing Internet business - picture coding platforms and SMS coding platforms. We briefly explain the common coding platform and mobile coding platform in the following two scenarios:

Scenario 1: Log in to the 12306 website in batches and make purchases, but the verification code cannot be automatically recognized.

The verification code of 12306 is relatively complex and difficult for the program to recognize. At this time, a coding platform for ordinary verification codes appeared. The program transmits the verification code to the recognition interface of the coding platform, and the coding platform sends the verification code to the "helper" at the back end for recognition and obtains the recognition result. In this way, based on this type of manual coding platform, the program can be automated.

Scenario 2: Registering on a shopping platform, but you need to fill in your mobile phone number and the verification code you received before you can register. How can you register machines in batches?

At this time, the mobile phone coding platform appeared, which provided a large number of mobile phone numbers and could send and receive text messages. In this way, you only need to call the relevant interface of the mobile phone coding platform, obtain the mobile phone number and the text message content, and then you can register in batches.

Finally, we will briefly describe new solutions to these threats.

1. Ordinary coding platform

1) Introduction

Nowadays, many simple character verification codes are no longer able to effectively block machine behavior. They can be recognized using simple OCR recognition tools. Slightly more complex ones can be combined with machine learning for high-accuracy recognition.

Ordinary character verification codes are easy to recognize, so some more complex verification codes have been generated, such as the following ones that are more difficult to recognize by machines.

Therefore, if you want to conduct malicious registration or batch machine behavior, you need to bypass this kind of difficult verification code. In response to this demand, the manual coding platform was created, which organizes real people to identify and submit verification results.

2) Operation flow chart

Note: For example, now the wool party wants to go to a certain website to swipe the event coupons, but the website has a more complex image verification code. Usually the wool party will register an account and recharge on the coding platform, and submit the verification code for identification through the API interface provided by the coding platform. The coding platform distributes the verification code to the client of each helper, obtains the recognition result of the helper, and finally feeds it back to the wool party.

1. Online earning platform:

Many coding platforms need to cooperate with online earning platforms because online earning platforms have a large number of users. This kind of platform that can make money by entering some verification codes every day is preferred by many novice users. Let's take a look at an online earning platform called "Youzhuanwang", which publishes various tasks for users to participate in, and distributes them to users in the form of gold coins. After accumulating a certain amount of gold coins, they can be withdrawn. The online earning platform will have a special coding module, which lists the cooperating coding platforms. As shown in the figure

Click on one of the coding platform projects of "ZhiMa DaMa", as shown in the figure

After clicking to obtain the work number and password, download the provided software, log in and pass a simple test, you will receive the verification code pushed by the coding platform, as shown in the figure

Helpers can check the complexity of the verification code they want to receive, including multiple-choice questions, fill-in-the-blank questions, mouse click types, etc. At the same time, the software can be used to view the number of verification codes that are accumulated on the platform. As shown in the figure, there are 45. After the user enters the result, the next verification code will be refreshed quickly. The points for each verification code are different. The points for more difficult verification codes are larger. At the same time, the online earning platform will give more points for night work, so we can see that the night service fee of the coding platform will also be higher. Let's roughly calculate the income of this kind of online earning. According to the official statement, 10,000 gold coins can be exchanged for 1 yuan. We calculate that one verification code can get an average of 100 gold coins. Then, you can get 1 yuan by typing 100 verification codes, and you can get 100 yuan by typing 10,000 verification codes every day.

2. Ordinary coding platform

The coding platform provides many types of verification codes, including normal character verification codes, multiple choice questions, arithmetic questions, and other special types. The billing type of each verification code is different. Let's check the price category table of a coding platform.

The price of each verification code is different. You can get 25,000 Kuai Beans for 10 yuan. The most common verification code requires 10 Kuai Beans, which means that 10 yuan can identify 2,500 common verification codes. If we check the price of 12306's graphic verification code recognition, it is 60 Kuai Beans, which means that 10 yuan can identify more than 400 verification codes. At the same time, the coding platform will be available to users in the form of an API. Users only need to enter the account password, the type of verification code, and the verification code file to identify it, as shown in the figure

3. Developers

Each coding platform has many developers who develop software using the SDK provided by the coding platform. For example, if you write a ticket grabbing software for 12306 and connect it to the coding platform, then the wool party only needs to fill in the account and password of the coding platform when using the software. At the same time, the developer can get a commission, which is generally high.

4. Freeloaders

What is the wool party?

Participate in activities selectively, thereby exchanging material benefits for relatively low or even zero cost. This behavior is called "薅羊毛", and the group that pays attention to and is keen on "薅羊毛" is called "羊毛党". Earlier, "羊毛党" were mainly active on O2O platforms or e-commerce platforms. In addition, with the development of Internet finance in 2015, some online loan platforms often launched some lucrative activities to attract investors, such as registration and certification rewards, recharge rebates, bidding rebates, etc., which gave rise to investment groups that parasitize on this, and they are also called P2P "羊毛党". Of course, those who use the coding platform are not necessarily the羊毛党, but may also be some "scalpers" who grab tickets or fraudsters in the black industry.

3) Benefit Chain

Description: Helpers earn profits through their own labor and realize profits through online earning platforms; online earning platforms cooperate with coding platforms and share profits. Coding platforms package services and provide them to wool parties. The developers of coding platforms develop software for wool parties to use. At the same time, wool parties make profits from the website through batch registration, event discounts, etc.

2. Mobile phone coding platform

1) Introduction

SMS verification codes are used in Internet businesses to filter out low-value users, thereby pushing services to target users. This is based on the premise that real-name authentication is basically achieved based on mobile phone numbers, and the number of mobile phone numbers owned by each person is also limited. It seems that SMS verification can prevent spam registrations and screen out truly valuable customers. However, the black industry has launched a mobile phone coding platform for scenarios based on mobile phone number registration. The mobile phone coding platform hoards a large number of mobile phone cards to provide SMS sending and receiving services. In actual investigations, it was found that large mobile phone coding platforms have millions of mobile phone cards, and small ones also have tens of thousands of mobile phone cards.

2) Operation flow chart

The flow chart of the mobile phone coding platform is as follows. There are two main roles, one is the ordinary user of the platform, usually the wool party, and the other is the card merchant of the platform.

Note: The mobile phone coding platform will provide interfaces for various projects, such as xxx account registration, xxx binding mobile phone, etc. The wool party only needs to call the interface, obtain the mobile phone number available for a certain project, fill in the mobile phone number into the target website, and then call the interface to obtain the text message content.

1. Mobile phone coding platform

The mobile coding platform provides various projects. Let’s check the project list of a mobile coding platform, as shown in the figure

The price of each project is different. For example, p2p financial projects may be more expensive, while other common projects such as 115 cloud disk mobile phone binding are cheaper, only 0.1 yuan for a mobile phone number. The process of receiving SMS is very simple. Check the official API interface description of the platform, as shown in the figure

We only need to call the interface, get the mobile phone number of a certain project, fill in the website, and call the interface to get the text message content. At the same time, the coding platform usually also provides functions such as sending text messages and receiving voice verification codes. The following is an interface for sending text messages on a mobile coding platform.

2. Card Merchants

Card dealers are users who own a large number of mobile phone cards. They provide SMS sending and receiving services for related projects through the cat pool and the software provided by the coding platform. Card dealers can obtain corresponding income when their mobile phone number is used once. The following is a card dealer client of a coding platform. The card dealer connects the cat pool with a large number of mobile phone cards to the computer and selects the project to be done.

A modem pool can be understood as a device with a communication module that can send and receive text messages and can insert many mobile phone cards. Generally, there are 8-port and 16-port models, and some have 128-port models, which means that 128 mobile phone cards can be inserted at the same time. There are many types of modems, and many of them now support 3G and 4G. The following is a picture of a modem pool with a mobile phone card inserted.

Card dealers usually have a large number of cards. Using them for mobile phone coding is just one of their businesses. There are also many cards that are used to brush diamonds, brush memberships, brush traffic, etc. The market price is generally around 10 yuan per card, and many of these cards are also verified by real names, and there are many special cards with 0 monthly rent and 0 balance. Of course, those that can send text messages have a certain balance. Let's check the advertisements posted by the next card dealer selling mobile phone cards, as shown in the figure

[[188889]]

[[188890]]

Regarding the source of this large number of cards, a card dealer on a mobile phone coding platform revealed the following information

At the same time, these card merchants will have other services such as super membership, yellow diamond, green diamond, etc. Check the information sent by the card merchants on the Yida code platform, as shown in the figure

3. The wool party

Let’s check out a group for getting free stuff, where some activity information is updated every day.

Of course, those who post the money are small profits, and those who make big profits will not disclose it easily. Of course, many of them belong to the gray or black industry. In some groups that collect money, there is usually the sale of identity information. In one group, I saw information about selling photos of the front and back of the ID card plus the ID card in hand, and it only costs 0.2 cents per copy, as shown in the picture

3) Benefit Chain

illustrate:

The freeloaders use the mobile phone numbers provided by the mobile phone coding platform to register on the website in batches, obtain small accounts, and then use these small accounts to obtain discounts in batches. For example, Uber recommends users to register and gives coupons, and some websites recommend new users to register and give phone bills, etc. to make profits. The coding platform charges for providing mobile phone coding services and shares profits with the connected card dealers. The platform itself also has some mobile phone cards. At the same time, card dealers also have multiple businesses. One is the business of specializing in coding platforms, and others are to sell cards to freeloaders for super membership, diamond and other businesses to make profits.

III. How to prevent and control

How to prevent and control common coding platforms and mobile coding platforms. Adopting new verification code technology is one way, and building a blacklist library for mobile coding platforms is another way. However, it is more important to build your own security risk control system based on the user mobile phone number reputation system and user device reputation system, combined with a lot of data.

1) New verification code

Replace the traditional verification code with a new verification code. The traditional verification code is already difficult to prevent machine behavior, so some new verification codes based on user behavior have emerged. The biggest feature of the new verification code is that it is no longer based on knowledge to judge whether it is a human or a machine, but is based on the inherent biological characteristics of humans and the comprehensive decision of the operating environment information to judge whether it is a human or a machine.

For example, Google’s reCaptcha

And Alibaba's NoCaptcha

Of course, this does not mean that such verification codes cannot be bypassed. At this year's Asia Blackhat, a method for cracking Google reCaptcha was announced. For details, please refer to [Related paper]

2) Mobile phone reputation database

For SMS verification platforms, we can return to the essential needs of SMS verification codes, that is, filtering low-value Internet users. However, since mobile phone numbers are not completely real-name systems, the cost of obtaining a mobile phone number is actually not high, so the real high-value customers cannot be effectively screened out based on mobile phone numbers. Although the cost of obtaining a mobile phone number itself is not high, most ordinary Internet users do not change their mobile phone numbers frequently, so a mobile phone-based credit database can be established based on the behavior corresponding to the mobile phone number, thereby realizing the function of screening out high-value customers based on the reputation of the mobile phone number, rather than relying solely on whether the user has a mobile phone number.

3) Risk Control System

For ordinary websites, it is particularly important to establish their own user reputation system, and to conduct prevention and control based on information such as user device reputation and user behavior.

For P2P financial websites, it is particularly important to build their own security risk control system. Financial websites are more sensitive, and strong security verification of user identities should be performed, such as identity verification for bank card binding.

4) Others

Nowadays, mobile phones need to be authenticated by real name, which has a certain effect on the abuse of a large number of mobile phone cards. However, the investigation found that there are still a large number of special cards, which have all been authenticated by real name or corporate authentication. In addition, the state has issued relevant policies for mobile phone coding platforms, which are considered illegal, so these mobile phone coding platforms have also gone underground.