Black Markets: An Abuse Fighter’s Oracle of Delphi

Specialization within the underground hinges on open communication between criminals who advertise goods and services as well as potential buyers. Forums, chats, storefronts, and freelance labor pages all streamline abuse, but as a consequence expose the broad range of criminal activities to researchers at large. This creates an opportunity for anti-abuse teams to tap into black markets as both a technique for acquiring datasets of bleeding edge threats as well as an early warning system for failing systems.

Market for Phone Verified Acccounts

Web services attempt to rate limit the torrent of automatically generated accounts through CAPTCHAs, email verification, and most recently phone verification. While CAPTCHAs and email accounts are trivially available from the underground for relatively low prices, ideally phone numbers represent a scarce resource for criminals that are otherwise globally accessible to legitimate users. Consequently, when Google deployed phone verification as a signup protection, prices on the underground surged from $30 per 1K to over $500. Yet there are signs that criminals have streamlined the circumvention of phone verification for a multitude of web services with regular sales for accounts at around $100 per thousand.

Screen Shot 2015-03-07 at 11.16.37 AM

Price of phone verified accounts for various services as advertised on the black market.


Tracking Price Over Time

As part of a recent study we tracked the price of phone verified accounts (PVA) over the last year from 14 different merchants in the PVA space. During our monitoring we noticed that prices dropped 30–40% across multiple services in a short period. While it’s possible many of the merchants we tracked were merely resellers, the drop itself was a strong warning sign that criminals had devised a new mechanism to circumvent the intended high-bar of phone verification.

price_drop

Understanding the Price Drop

After purchasing a sample of 2K Google PVA and examining another set of 300K PVA that Google disabled for abuse, we determined that three factors were deflating the price of accounts.

VOIP

VOIP in particular poses a significant threat to the intended cost of phone verification. Services such as Pinger and TextPlus allow new customers to register for a free, SMS-receivable number in exchange for solving a CAPTCHA or email verification challenge. Both resources are cheaply available from the underground and undermine the intended cost of a SIM card. Similarly, services such as Google Voice allow miscreants to convert an existing phone number (including US VOIP numbers) into multiple new phone numbers. This creates an abuse multiplier that allows miscreants to amortize the cost of the original phone number seed as well as mask the original carrier. All of these services are available online, opening up the possibility for miscreants to scrape page content to automate SMS verification challenges.

Screen Shot 2015-03-07 at 10.48.21 AM

Screenshot of the signup page for an unnamed VOIP service. The service allows anyone to receive a free US phone number for voice and SMS in exchange for solving a CAPTCHA. Email verification is absent.


Cheap SIMs

VOIP numbers alone do not explain the entire phone verified abuse ecosystem; a second substantial component is fueled by mobile carriers tied to India and Indonesia including PT, Bharti, and Vodafone. Our understanding of how miscreants acquire phone numbers from these regions and subsequently respond to SMS challenges is less clear than VOIP. While we can only speculate, discussions we observe on underground forums suggest that workers manually respond to verification challenges using modified cell phones to simplify cycling through SIM cards. This reflects related strategies for manual CAPTCHA solving farms that operate out of the same regions.

Screen Shot 2015-03-07 at 10.48.56 AM

Bulk sale of SIM cards and hardware to simplify manual verification.


SMS as a Service

Anecdotally, when we conducted our search to identify merchants selling PVA, we also encountered an underground market segment surrounding verification as a service. Sites such as http://sms-area.org advertise automated APIs for phone verifying Vkontakte, Google, and Facebook accounts. Prices for these services are as low as $140 per 1K verification codes for mobile (non-VOIP) numbers originating from Russia, Kazakhstan, and Belarus.

sms_area

SMS verification as a service. Miscreants can choose the service to verify and bid on phone numbers from different regions and carriers.


If you want to know more about how to improve phone verification to protect against these services then take a look at our recent paper called Dialing Back Abuse on Phone Verified Accounts that appeared in CCS 2014.

Account Hijacking in Social Networks

Account hijacking has become a routine, large-scale threat that users and online web services face. Like a siren’s call, miscreants seek to monetize on the proliferation of personal data to remote servers. For email and cloud services, the most intimate details of our lives are guarded by a single password prompt. For online social networks, an account encompasses the social capital and trust we’ve accrued with family, friends, fans, and colleagues over our lifetime.

twitter_hacked

We recently developed a technique to detect symptoms of account hijacking (e.g., sending spam to your Twitter followers). We relied on near-duplicate detection to identify clusters of colluding users and a secondary filter that distinguishes meme participants, fraudulent accounts, and hijacked victims. We ran our algorithm on 8.7 billion tweets produced between January, 2013–October, 2013 as captured from the Twitter streaming API. In total we detected 13.8 million compromised accounts and 4.6 million fraudulent accounts that miscreants used to send over 100 million spam tweets.

Major Findings

  • Account hijacking is a systematic threat that impacts nascent, casual, and core users.
  • Users or Twitter react quickly: 60% of users lose control of their account for a day; 90% for fewer than 5 days.
  • Significant challenges remain with account recovery: 21% of victims never return to Twitter after the service wrests control of the victim’s account back from hijackers
  • Victims become socially isolated: 56% of victims lose social connections as a consequence of hijacking
  • Compromise spreads like a social or biological contagion: users are 10x more likely to fall victim to a phishing or malware campaign if 20 of their friends are compromised due to the trust they place in their relationships.
  • Contagions are long lasting: it takes a median of over a week for Twitter to recover from an attack.

If you want to see more, check out Consequences of Connectivity: Characterizing Account Hijacking on Twitter published at CCS 2014.

Trafficking Fraudulent Accounts

This post is based on research conducted in collaboration with Twitter, to appear in Usenix Security 2013. A pdf is available under my publications. Any views or opinions discussed herein are my own and not those of Twitter.

As web services such as Twitter, Facebook, Google, and Yahoo now dominate the daily activities of Internet users, cyber criminals have adapted their monetization strategies to engage users within these walled gardens. This has lead to a proliferation of fraudulent accounts — automatically generated credentials used to disseminate scams, phishing, and malware. Recent studies from 2011 estimate at least 3% of active Twitter accounts are fraudulent. Facebook estimates its own fraudulent account population at 1.5% of its active user base, and the problem extends to major web services beyond just social networks.

The complexities required to circumvent registration barriers such as CAPTCHAs, email confirmation, and IP blacklists have lead to the emergence of an underground market that specializes in selling fraudulent accounts in bulk. Account merchants operating in this space brazenly advertise: a simple search query for “buy twitter accounts” yields a multitude of offers for fraudulent Twitter credentials with prices ranging from $10–200 per thousand. Once purchased, accounts serve as stepping stones to more profitable spam enterprises that degrade the quality of web services, such as pharmaceutical spam or fake anti-virus campaigns.

Screen shot 2013-08-06 at 1.09.09 PM

To understand this shadowy economy, we investigate the market for fraudulent Twitter accounts to monitor prices, availability, and fraud perpetrated by 27 merchants over the course of a 10-month period. We use our insights to develop a classifier to retroactively detect several million fraudulent accounts sold via this marketplace, 95% of which we disable with Twitter’s help. During active months, the 27 merchants we monitor appeared responsible for registering 10–20% of all accounts later flagged for spam by Twitter, generating $127–459K for their efforts.

Account Merchants and Pricing

With no central operation of the underground market, we resort to investigating common haunts: advertisements via search engines, blackhat forums such as hxxp://blackhatworld.com, and freelance labor pages including Fiverr and Freelancer. In total, we identify a disparate group of 27 merchants whom we elect to purchase accounts from. We conduct a total of 140 successful orders of accounts, purchasing roughly 120K accounts over a period from June, 2012 — April, 2013. Prices throughout our study are relatively stable, as shown below:

Of the orders we placed, merchants fulfilled 70% in a day and 90% within 3 days. We believe the stable pricing and ready availability of fraudulent accounts is a direct result of minimal adversarial pressures on account merchants.

Circumventing Automated Registration Barriers

IP Addresses: Unique IP addresses are a fundamental resource for registering accounts in bulk. Without a diverse IP pool, fraudulent accounts would fall easy prey to network-based blacklisting and throttling.
As a whole, miscreants registered 79% of the accounts we purchase from unique IP addresses located across the globe. India is the most popular origin of registration, accounting for 8.5% of all fraudulent accounts in our dataset. Other “low-quality” IP addresses (e.g. inexpensive hosts from the perspective of the underground market) follow in popularity.

Registration Origin Total Accounts Registered from Origin Unique IPs Popularity
India 6029 8.50%
Ukraine 6671 7.23%
Turkey 5984 5.93%
Thailand 5836 5.40%
Mexico 4547 4.61%
Viet Nam 4470 4.20%
Indonesia 4014 4.10%
Pakistan 4476 4.05%
Japan 3185 3.73%
Belarus 3901 3.72%
Other 46850 48.52%

Email Confirmation: Web services frequently inhibit automated account creation by requiring new users to confirm an email address with a challenge response code. Unsurprisingly, we find this barrier is not insurmountable, but it does impact the pricing of accounts, warranting its continued use. A list of the most abused email address is as follows:

Email Provider Accounts Abused Fraction of All Email Confirmed Accounts
hotmail.com 64050 68.32%
yahoo.com 12339 13.16%
mail.ru 12189 13.00%
gmail.com 2013 2.15%
nokiamail.com 996 1.06%
Other 2157 2.30%

In total, merchants email confirm 77% of accounts we acquire, all of which they seeded with a unique email. The failure of email confirmation as a barrier directly stems from pervasive account abuse tied to web mail providers. Merchants abuse Hotmail addresses to confirm 60% of Twitter accounts, followed in popularity by Yahoo and mail.ru. This highlights the interconnected nature of account abuse, where credentials from one service can serve as keys to abusing yet another.

Despite the ability of merchants to verify an email address, we find that merchants selling email-confirmed accounts are 56% more expensive than their non-confirmed counterparts. This difference likely includes the base cost of an email address and any related overhead due to the complexity of responding to a confirmation email.

CAPTCHA Solving: As with email confirmation, CAPTCHAs are not an insurmountable barrier to automated account creation, but they do prevent a substantial number of fraudulent account registrations. We find that 92% of fraudulent accounts that are shown a CAPTCHA fail at generating a valid solution. (This is slightly higher than expected, where automated solvers previously studied provided a success rate of 18–30%). Despite this fact, account sellers are still able to register thousands accounts over the course of time, simply playing a game of odds.

Impact of Merchants on Twitter Spam

In order to gauge the impact that merchants have on Twitter spam, we develop a classifier that retroactively identifies several million spam accounts registered in the last year. Of these, 73% were sold and actively tweeting or forming relationships at one point in time, while the remaining 37% remained dormant and were yet to be purchased. We find that, during active months, the underground market was responsible for registering 10–20% of all accounts that Twitter later flagged as spam.

Screen shot 2013-08-13 at 1.46.30 PM

The most damaging merchants from our impact analysis operate out of blackhat forums and web storefronts, while Fiverr and Freelancer sellers generate orders of magnitude fewer accounts.

The End Goal — Profit

We estimate the revenue generated by the underground market based on the total accounts sold and the prices charged during their sale. We distinguish accounts that have been sold from those that lay dormant and await sale based on whether an account has sent tweets or formed relationships. For sold accounts, we identify which merchant created the account and determine the minimum and maximum price the merchant would have charged for that account based on our historical pricing data.

We estimate that the total revenue generated by the underground account market through the sale of Twitter credentials is between the range of $127,000–$459,000 over the course of a year. We note that many of the merchants we track simultaneously sell accounts for a variety of web services, so this value likely represents only a fraction of their overall revenue. Nevertheless, our estimated income is far less than the revenue generated from actually sending spam or selling fake anti-virus, where revenue is estimated in the tens of millions. As such, account merchants are merely stepping stones for larger criminal enterprises, which in turn disseminate scams, phishing, and malware throughout Twitter.

Disrupting the Underground Marketplace

With Twitter’s cooperation, we suspend an estimated 95% of all fraudulent accounts registered by the 27 merchants we track, including those previously sold but not yet suspended for spamming. We estimate our precision through this process at 99.9942%.

Immediately after Twitter suspended the last of the underground market’s accounts, we placed 16 new orders for accounts from the 10 merchants we suspected of controlling the largest stockpiles. Of 14,067 accounts we purchased, 90% were suspended on arrival due to Twitter’s previous intervention. When we requested working replacements, one merchant responded with:

All of the stock got suspended … Not just mine .. It happened with all of the sellers .. Don’t know what twitter has done …

Similarly, immediately after suspension, hxxp://buyaccs.com put up a notice on their website stating “Временно не продаем аккаунты Twitter.com”, translating via Google roughly to “Temporarily not selling Twitter.com accounts”.

Screen shot 2013-08-14 at 12.18.40 PM

While Twitter’s initial intervention was a success, the market has begun to recover. Of 6,879 accounts we purchased two weeks after Twitter’s intervention, only 54% were suspended on arrival. As such, long term disruption of the account marketplace requires both increasing the cost of account registration and integrating more robust at-signup time abuse classification into the account registration process.