Specialization within the underground hinges on open communication between criminals who advertise goods and services as well as potential buyers. Forums, chats, storefronts, and freelance labor pages all streamline abuse, but as a consequence expose the broad range of criminal activities to researchers at large. This creates an opportunity for anti-abuse teams to tap into black markets as both a technique for acquiring datasets of bleeding edge threats as well as an early warning system for failing systems.

Market for Phone Verified Acccounts

Web services attempt to rate limit the torrent of automatically generated accounts through CAPTCHAs, email verification, and most recently phone verification. While CAPTCHAs and email accounts are trivially available from the underground for relatively low prices, ideally phone numbers represent a scarce resource for criminals that are otherwise globally accessible to legitimate users. Consequently, when Google deployed phone verification as a signup protection, prices on the underground surged from $30 per 1K to over $500. Yet there are signs that criminals have streamlined the circumvention of phone verification for a multitude of web services with regular sales for accounts at around $100 per thousand.

Price of phone verified accounts for various services as advertised on the black market.

Tracking Price Over Time

As part of a recent study we tracked the price of phone verified accounts (PVA) over the last year from 14 different merchants in the PVA space. During our monitoring we noticed that prices dropped 30–40% across multiple services in a short period. While it’s possible many of the merchants we tracked were merely resellers, the drop itself was a strong warning sign that criminals had devised a new mechanism to circumvent the intended high-bar of phone verification.

Understanding the Price Drop

After purchasing a sample of 2K Google PVA and examining another set of 300K PVA that Google disabled for abuse, we determined that three factors were deflating the price of accounts.

VOIP

VOIP in particular poses a significant threat to the intended cost of phone verification. Services such as Pinger and TextPlus allow new customers to register for a free, SMS-receivable number in exchange for solving a CAPTCHA or email verification challenge. Both resources are cheaply available from the underground and undermine the intended cost of a SIM card. Similarly, services such as Google Voice allow miscreants to convert an existing phone number (including US VOIP numbers) into multiple new phone numbers. This creates an abuse multiplier that allows miscreants to amortize the cost of the original phone number seed as well as mask the original carrier. All of these services are available online, opening up the possibility for miscreants to scrape page content to automate SMS verification challenges.

Screenshot of the signup page for an unnamed VOIP service. The service allows anyone to receive a free US phone number for voice and SMS in exchange for solving a CAPTCHA. Email verification is absent.

Cheap SIMs

VOIP numbers alone do not explain the entire phone verified abuse ecosystem; a second substantial component is fueled by mobile carriers tied to India and Indonesia including PT, Bharti, and Vodafone. Our understanding of how miscreants acquire phone numbers from these regions and subsequently respond to SMS challenges is less clear than VOIP. While we can only speculate, discussions we observe on underground forums suggest that workers manually respond to verification challenges using modified cell phones to simplify cycling through SIM cards. This reflects related strategies for manual CAPTCHA solving farms that operate out of the same regions.

Bulk sale of SIM cards and hardware to simplify manual verification.

SMS as a Service

Anecdotally, when we conducted our search to identify merchants selling PVA, we also encountered an underground market segment surrounding verification as a service. Sites such as http://sms-area.org advertise automated APIs for phone verifying Vkontakte, Google, and Facebook accounts. Prices for these services are as low as $140 per 1K verification codes for mobile (non-VOIP) numbers originating from Russia, Kazakhstan, and Belarus.

SMS verification as a service. Miscreants can choose the service to verify and bid on phone numbers from different regions and carriers.

If you want to know more about how to improve phone verification to protect against these services then take a look at our recent paper called Dialing Back Abuse on Phone Verified Accounts that appeared in CCS 2014.