Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


approaching the coding platform

Posted by ulberg at 2020-03-11

brief introduction

With the rapid development of Internet business, it penetrates into human life and has a great impact on economy, culture and society. At the same time, the security of Internet business is becoming increasingly important. Just like the firewall of network communication infrastructure, Internet business security also has its infrastructure - picture verification code and SMS verification code.

In the Internet business, graphic verification code is widely used to distinguish human and machine, short message verification code is used to filter low value users and provide secondary verification function.

As the infrastructure of Internet business, image verification code and SMS verification also face many challenges. The following will take you closer to the immediate threat of Internet business - image coding platform and SMS coding platform. We use the following two scenarios to briefly explain the general coding platform and mobile phone coding platform:

Scenario 1: batch log in to 12306 website and conduct purchase, but the verification code cannot be automatically identified.

The verification code of 12306 is complex, and the program is difficult to identify. At this time, there is a coding platform for ordinary verification code. The program transmits the verification code to the identification interface of the coding platform. The coding platform sends the verification code to the back-end "servant" for identification and obtains the identification results. Based on this kind of manual coding platform, the program can be automated.

Scenario 2: register a shopping platform, but it needs to fill in the mobile phone number and the received verification code to register. How to register a batch of machines?

At this time, there is a mobile phone coding platform, which provides a large number of mobile phone numbers and can send and receive SMS. In this way, it only needs to call the relevant interface of the mobile phone coding platform, obtain the mobile phone number and the SMS content, and then batch register.

Finally, we will briefly describe the new solutions to these threats.

1、 General coding platform

(1) Introduction

Now many simple character verification codes can not effectively block the behavior of the machine, using simple OCR recognition tools can be used for recognition, slightly complex can be combined with machine learning for high accuracy recognition. There have been many articles about verification code recognition in the dark cloud knowledge base, and those interested can search by themselves.

Ordinary character verification codes are easy to be recognized, so there are some more complex verification codes, such as the following ones that are difficult to be recognized by machines.

Therefore, if you want to conduct malicious registration or batch machine behavior, you need to bypass this kind of hard verification code. In response to this demand, a manual coding platform is created, which organizes real people to identify and submit verification results.

2) Operation flow chart

Note: for example, now the wool party is going to a website to brush activity coupons, but the website has a more complex image verification code. Generally, the wool party will register an account in the coding platform and recharge it, and submit the verification code identification through the API interface provided by the coding platform. The coding platform distributes the verification code to the client of each servant, obtains the identification result of the servant, and finally feeds it back to the wool party.

1. Online earning platform:

Many coding platforms need to cooperate with the online earning platform, because the number of users of the online earning platform is relatively large. This kind of platform that can make money by inputting some verification codes every day is preferred by many Xiaobai users. We check an online earning platform called "", which publishes various tasks for users to participate in, and issues them in the form of gold coins, which can be withdrawn after accumulating a certain amount. The online earning platform will have a special coding module, which lists the cooperation coding platform. Pictured

Click one of the "know code and code" coding platform projects, as shown in the figure

Click to obtain the work number and password, and then download the software provided. After the simple test passes, you can receive the verification code pushed by the coding platform, as shown in the figure below

The helper can check the complexity of the verification code to be received, including multiple choice questions, filling in blank questions, mouse click type, etc. At the same time, through the software, you can view the number of verification codes in the backlog of the platform, as shown in the figure is 45, and the user will quickly refresh to the next verification code after entering the result. The points of each verification code are different. The points of higher verification code difficulty are larger. At the same time, there will be more points for the night work of the online earning platform, so we can see that the night service fees of the coding platform will be higher. We can roughly calculate the income of this kind of online earning. According to the official standard that 10000 gold coins can be exchanged for 1 yuan, we can get 100 gold coins on average according to one verification code, then we can get 1 yuan by typing 100 verification codes, and only by typing 10000 verification codes per day can we get 100 yuan.

2. General coding platform

The coding platform provides various types of verification codes, including normal common character verification codes, multiple choice questions, arithmetic questions, and other special types. The charging types of each verification code are different. Let's check the price catalog of a coding platform,

Among them, the price of each verification code is different, and 25000 fast beans can be obtained by flushing 10 yuan on the platform. The most common verification code needs 10 fast beans, that is to say, RMB 10 can identify 2500 ordinary verification codes. We can see that the recognition price of 12306's graphic verification code is 60 fast beans, that is, RMB 10 can identify more than 400 verification codes. At the same time, the coding platform will be used by users in the form of API, which only needs to pass in the account password, the type of the verification code and the verification code file for identification, as shown in the figure below

3. developers

Every coding platform will have many developers. Developers develop software through the SDK provided by the coding platform. For example, for 12306, write a ticket grabbing software, and connect the coding platform inside, so the wool party only needs to fill in the account code of the coding platform when using the software. At the same time, developers can get commissions, which are generally high.

4. wool party

What is the wool party?

Participate in activities selectively, so as to exchange material benefits with relatively low cost or even zero cost. This behavior is called "pulling wool", and the group that pays attention to and is keen on "pulling wool" is called "wool party".

Earlier, the "wool parties" were mainly active in o2o platforms or e-commerce platforms. In addition, with the development of Internet Finance in 2015, in order to attract investors, some online lending platforms often launch some lucrative activities, such as registration and certification awards, recharge and cash return, bid rebate, etc., which spawned a parasitic investment group. They are also known as P2P "wool party".

Of course, it is not necessarily the wool party that uses the coding platform, but also the scalpers who rob tickets or the fraudsters of the black industry.

3) Interest chain

Note: the mercenary can get benefits through their own labor and realization through the online earning platform; the online earning platform cooperates with the coding platform and shares the benefits. The coding platform encapsulates the services and provides them to the wool party. The developers of the coding platform develop software for the wool party to use. At the same time, the wool party gains profits from the website through batch registration, event discounts and other ways.

2、 Mobile phone coding platform

(1) Introduction

SMS verification code is used to filter low value users in Internet business, and push the service to target users. This is the basic realization of real name authentication based on mobile phone number, and the mobile phone number owned by each person is also a limited premise. It seems that SMS verification can prevent spam registration and screen out the really valuable customers. However, for the scenario of mobile phone number registration, heichan launched a mobile phone coding platform. Mobile phone coding platform hoards a large number of mobile phone cards to provide short message service. In the actual investigation, it is found that there are millions of mobile phone cards in the large-scale mobile phone coding platform and tens of thousands of mobile phone cards in the small-scale mobile phone platform.

2) Operation flow chart

The flow chart of the mobile phone coding platform is as follows. There are two main roles. One is that the ordinary users of the platform are usually the wool party and the other is the card dealer of the platform.

Note: the mobile phone coding platform will provide interfaces for various projects, such as XXX account registration, XXX binding mobile phone, etc. The wool party only needs to call the interface to get the mobile phone number of a project, and fill in the target website with the mobile phone number, then call the interface to get the content of the short message.

1. Mobile phone coding platform

The mobile phone coding platform provides various projects. We can view the list of projects of a mobile phone coding platform, as shown in the figure below

The price of each project is different. For example, P2P finance may have a higher price. For other common products, such as 115 network disk, the price of mobile phone binding is cheaper. A mobile phone number only needs 10 cents. The process of receiving SMS is very simple. Check the official API interface description of the platform, as shown in the figure

We just need to call the interface, get the mobile number of a project, fill in the website, and call the interface to get the SMS content. At the same time, the coding platform usually provides the interface for sending SMS, receiving voice verification code and other functions, as follows: the interface for sending SMS for a mobile phone coding platform

2. card business

Card business refers to the users with a large number of mobile cards, who provide SMS receiving and sending services for related projects through the software provided by the cat pool and the coding platform. If the card dealer's mobile phone number is used once, the corresponding revenue can be obtained. The following is the card dealer client of the one dozen code platform. The card dealer will plug in a large number of mobile phone cards to the cat pool to access the computer, and select the items to be done.

Among them, the cat pool can be understood as a device with communication module, which can send and receive SMS and plug in many mobile cards. Generally, there are 8 or 16 ports, and many have 128 ports, that is, 128 mobile phone cards can be inserted at the same time. There are many types of cat pools, many of which support 3G and 4G, as shown in the figure below

Card dealers usually have a large number of cards, only one of which is used for mobile phone coding, and many are used for drilling, membership, traffic, etc. The market price is generally around 10 yuan, and many of these cards are also certified by real name, and there are many special cards belonging to 0 monthly rent and 0 balance. Of course, those who can send SMS have certain balance. Let's check the ads from the next card vendor selling mobile cards, as shown in the figure

As for the source of such a large number of cards, the card dealer of one mobile phone coding platform disclosed the following information

At the same time, these card chambers of Commerce have other businesses, such as super members, yellow diamonds, green diamonds, etc. check the information issued by the one dozen platform card dealers, as shown in the figure

3. wool party

Let's check the group of a collection of wool, which will update some activity information every day

Of course, the hair is made of small profits, some of the larger profits of the wool party are not easy to disclose, of course, many of them belong to the gray or black industry. In some flocks, there are usually sales of identity information. In a certain group, you can see the pictures of selling positive and negative identity cards plus the information of holding identity cards. Only 20 cents is needed, as shown in the figure below

3) Interest chain


Through the mobile phone number provided by the mobile phone coding platform, the wool party goes to the website to register in batches, obtain small numbers, and then use these small numbers to obtain concessions in batches. For example, Uber's recommended users register to send coupons, and some new users of the website recommend to register to send phone charges to make profits. The coding platform charges for providing mobile phone coding services, and shares interests with the docking card providers. The platform itself will also have some mobile phone cards. At the same time, card dealers also have a variety of businesses, one is specialized in the business of coding platform, and the other is to sell cards to the wool party, which is used to do super members, drilling and other businesses for profit.

3、 How to prevent and control

How to prevent and control the common coding platform and mobile phone coding platform. It is a way to use the new verification code technology, and it is also a way to build the blacklist database of mobile phone coding platform. However, it is more important to build your own security risk control system based on the built reputation system of user mobile phone number and user equipment, combined with a lot of data.

1) New verification code

The traditional verification code is replaced by a new one. Traditional verification codes have been difficult to prevent machine behavior, so some new verification codes based on user behavior appear. The biggest feature of the new verification code is that it is no longer based on human-computer judgment, but based on the inherent biological characteristics of human beings and the comprehensive decision-making of operational environmental information to determine whether it is human or machine.

Like Google's reCAPTCHA

And nocaptcha of Alibaba

Of course, this doesn't mean that this kind of verification code can't be bypassed. This year's Asia blackhat published a way to crack Google reCAPTCHA. For details, please refer to (I'm not a human breaking the Google reCAPTCHA)

2) Mobile credit Library

Aiming at the short message coding platform, we can return to the essential demand of short message verification code, that is, filtering low value users of the Internet. As the mobile phone number is not fully real name system, in fact, the cost of obtaining a mobile phone number is not high, so based on the mobile phone number can not effectively screen out the real high-value customers. Although the acquisition cost of mobile phone number itself is not high, most ordinary Internet users do not change their mobile phone number frequently, so we can establish a credit reference base based on mobile phone based on the corresponding behavior of mobile phone number, so as to filter out high-value customer functions based on the reputation of mobile phone number, rather than relying solely on whether the user owns a mobile phone number.

III) risk control system

For ordinary websites, it is particularly important to establish their own user reputation system. Prevention and control is based on the user's equipment reputation, user behavior and other information.

For P2P financial websites, it is particularly important to build their own security risk control system. The financial category is more sensitive, so it should do strong security verification for the user's identity, such as the identity verification of bank card binding.

Four) others

Now mobile phones need real name authentication, which will have certain effect on a large number of mobile card abuse. However, in the investigation, we found that there are still a large number of special cards, all of which have passed real name certification or enterprise certification. In addition, for mobile phone coding platforms, the state has issued relevant policies, and determined that mobile phone coding platforms are illegal, so these mobile phone coding platforms are also underground.