dialing back abuse on phone verified accounts · 2020-03-25 · accounts (pva). to carry out our...
TRANSCRIPT
Dialing Back Abuse on Phone Verified Accounts
By Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy
Published at: CCS (Computer and Communication Security) Year: 2014 URL: https://www.elie.net/publication/dialing-back-abuse-on-phone-verified-accounts Slides: http://www.slideshare.net/elie-bursztein/dialing-back-abuse-on-phone-verified-accounts Related research: https://www.elie.net/tag/anti_fraud_and_abuse
Dialing Back Abuse on Phone Verified Accounts
Kurt Thomas
⇧Dmytro Iatskiv
⇧Elie Bursztein
⇧
Tadek Pietraszek
⇧Chris Grier
†⇤Damon McCoy
‡
⇧Google, Inc
†University of California, Berkeley
⇤International Computer Science Institute
‡George Mason University
{kurtthomas, diatskiv, elieb, tadek}@google.com [email protected] [email protected]
ABSTRACTIn the past decade the increase of for-profit cybercrime hasgiven rise to an entire underground ecosystem supportinglarge-scale abuse, a facet of which encompasses the bulk reg-istration of fraudulent accounts. In this paper, we present a10 month longitudinal study of the underlying technical andfinancial capabilities of criminals who register phone verifiedaccounts (PVA). To carry out our study, we purchase 4,695Google PVA as well as pull a random sample of 300,000Google PVA that Google disabled for abuse. We find thatmiscreants rampantly abuse free VOIP services to circum-vent the intended cost of acquiring phone numbers, in e↵ectundermining phone verification. Combined with short livedphone numbers from India and Indonesia that we suspectare tied to human verification farms, this confluence of fac-tors correlates with a market-wide price drop of 30–40% forGoogle PVA until Google penalized verifications from fre-quently abused carriers. We distill our findings into a set ofrecommendations for any services performing phone verifi-cation as well as highlight open challenges related to PVAabuse moving forward.
Categories and Subject DescriptorsK.4.1 [Public Policy Issues]: Abuse and crime involvingcomputers
KeywordsAccount abuse; phone verification; underground economies
1. INTRODUCTIONIn the past decade the increase of for-profit cybercrime
has given rise to an entire underground ecosystem support-ing large-scale abuse, a facet of which encompasses the bulkregistration of fraudulent accounts. Miscreants leverage thismarket to obtain cheap email addresses and social networkcredentials for as little as 0.50¢ an account [26], in turn fu-eling spam and abuse at the expense of millions of users.
Permission to make digital or hard copies of part or all of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage, and that copies bear this notice and the full ci-
tation on the first page. Copyrights for third-party components of this work must be
honored. For all other uses, contact the owner/author(s). Copyright is held by the
author/owner(s).
CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA.
ACM 978-1-4503-2957-6/14/11.
http://dx.doi.org/10.1145/2660267.2660321.
The deluge of messages that follow seek to monetize victimsin a variety of manners: from spamvertised products [14]to phishing and malware attacks that perpetrate softwarescams [22], clickfraud [7], banking theft [23], or convert in-fected victims into assets for the pay-per-install market [5].
Web services attempt to rate limit this torrent of auto-matically generated accounts through CAPTCHAs, emailverification, and most recently phone verification. WhileCAPTCHAs and email accounts are trivially available fromthe underground for relatively low prices [15, 26], ideallyphone numbers represent a scarce resource for criminals thatare otherwise globally accessible to legitimate users [16,17].Consequently, when Google deployed phone verification asa signup protection, prices on the underground surged from$30 per 1K to over $500. Yet there are signs that criminalshave streamlined the circumvention of phone verification.Prices for Google accounts have declined to as low as $85per 1K at the time of this study.
In this paper, we present a longitudinal study of the un-derlying technical and financial factors influencing the di-minishing e↵ectiveness of phone verification. To conductour study, we track phone verified account (PVA) abuse onGoogle over a 10 month period from July, 2013–April, 2014.Our perspective includes 4,695 accounts purchased from across-section of 14 account merchants selling Google PVAon blackmarket forums and storefronts as well as a sampleof 300,000 PVA disabled by Google for abuse. We rely onthese dual datasets to monitor the pricing and organizationof the market for phone verified accounts; evaluate how mis-creants circumvent the intended cost of phone verification;and identify a set of recommendations for preserving thelong term viability of phone verification.
We find that merchants are capable of registering a steadystream of thousands of PVA that subsequently sell for $85–$500 per 1K to the underground. This wildly di↵erent pricerange reflects both the financial barrier imposed by phoneverification (where some merchants advertise real SIM cardsfrom a variety of regions and prices) as well as the influenceof account resellers operating in a similar fashion to spama�liate programs [14]. Merchants fulfill orders for fully func-tioning, phone verified accounts within 24–48 hours, thoughthe lifetime of accounts is dubious; 68% of the PVA we pur-chase are disabled within a month of their changing handsdespite laying dormant, likely due to re-used infrastructure.
We analyze the registration process tied to abusive PVA tounderstand the root source of phone numbers and the mostfrequently abused carriers. We find that 24% of PVA dis-
abled by Google are verified with free VOIP numbers fromBandwidth.com (which services Google Voice, Pinger, andother providers [3]), e↵ectively allowing miscreants to cir-cumvent the cost of acquiring SIM cards. The remainingaccounts in our dataset are verified with phone numberstied to a variety of mobile carriers, the most popular ofwhich originate from India and Indonesia. We find evidencethese regions are traditionally related to CAPTCHA farmsand underground hired labor, suggesting that abusive phoneverification may be a manual endeavor. Combined with reg-ular re-use of short lived phone numbers, this confluence offactors correlates with a market-wide price drop of 30–40%for Google PVA from November, 2013–February, 2014 untilGoogle penalized verifications from frequently abused carri-ers.
Based on our findings, we produce a set of recommen-dations and best practices for services that rely on phoneverification. In particular, we propose a carrier reputa-tion system that automatically penalizes SMS and VOIPproviders consistently associated with abusive accounts. Al-ternative approaches—such as blacklisting phone numbersupon abuse detection to prevent re-use—are too slow com-pared to the velocity that phone numbers appear and disap-pear. Ultimately, we argue that a global phone number rep-utation similar to IP and domain reputation systems [1, 12]is required to prevent miscreants from amortizing the costof abusive SIMs and VOIP numbers across multiple ser-vices, as well as to prepare for the potential of compromisedphones—already a challenge for banking two-factor authen-tication [27]—serving as a platform for verifying accounts inthe future.
In summary, we frame our contributions as follows:
• We conduct a 10-month longitudinal study of the fi-nancial and technical challenges related to phone ver-ified abuse.
• We find an increased reliance on VOIP numbers and in-expensive SIMs from India and Indonesia—likely tiedto manual verification farms—correlate with a pricedrop of 30–40% for Google PVA.
• We evaluate a number of underground practices in-cluding phone re-use, phone access durations, and pre-ferred carriers.
• We distill our findings into a set of recommendationsand best practices for services that rely on phone ver-ification.
2. BACKGROUNDPhone verification is a single iteration in a long evolution
of abuse safeguards that aim to prevent the bulk registrationof accounts. We provide an overview of the process behindphone verification, how the underground market has under-mined prior protections, and privacy and ethical standardswe obied by when studying phone verified abuse.
2.1 Phone Verification ProcessPhone verification serves as both an initial signup protec-
tion as well as an abuse escalation where services preventsuspicious account from conducting further actions until af-ter verification. To start the verification process, a clientprovides a number they wish to associate with their account.The server then sends a challenge PIN via SMS or voice to
that number which the client must correctly enter into a webform to prove receipt and complete the process. Phone ver-ification is currently employed by Google, Facebook, Twit-ter, LinkedIn, and Craigslist among other services to combatabuse as well as for security and account recovery purposes.
Phone verification imposes a cost on both criminals andservices. For criminals, a single number typically has a hardlimit on the quantity of accounts it can be associated with.Re-use also exposes bulk accounts to clustering where oneabuse violation can trigger a cascade of deactivations acrosscorrelated accounts. Consequently, miscreants require a con-stant stream of fresh numbers to seed registrations. Con-versely, services employing phone verification as a defenseincur a fee for each SMS or voice challenge. This exposesservices to typical operational costs as well as resource ex-haustion attacks where miscreants request SMS verificationfor a deluge of numbers tied to expensive carriers to incurexorbitant SMS fees, a threat we discuss further in Section 6.
2.2 Evolution of Abuse SafeguardsPhone verification builds on a history of defenses that in-
cludes IP reputation, CAPTCHAs, and email verification.Ideally, these are scarce resources for criminals to acquirethat otherwise exert little friction on legitimate users. Inpractice, many of these components are readily availablefrom the underground.
IP Addresses: Services can leverage IP addresses as a weakidentity tied to newly registered accounts. When thousandsof accounts are registered from a single IP, there is a stronglikelihood of abuse. To circumvent detection, criminals relyon compromised hosts and proxy services to acquire accessto tens of thousands of IPs [26]. Anecdotally, we see adver-tisements for proxies as low as $250/mo for 15,000–30,000IPs on blackmarket forums.
CAPTCHAs: CAPTCHAs—intended as human-solvabletasks that prevent automation—have become a staple ofthe underground economy [15]. Services such as http://spamvilla.com advertise automated CAPTCHA solvers with50% accuracy for $30/mo, while human CAPTCHA farmssuch as http:// antigate.com outsource CAPTCHA solvingto an array of laborers operating out of India, Pakistan,Ukraine, Russia, Vietnam, and Indonesia for $0.70 per 1Ksolutions. The availability of manual solvers underminesthe feasibility of CAPTCHAs (though such services are notfree).
Email Verification: Email verification serves to tie therate miscreants can create accounts to the rate they canacquire email addresses. This e↵ectively outsources abuseprevention to email providers who in turn must rely on al-ternative signals. In response, email addresses have becomea fundamental resource of the underground. Hotmail.comand Yahoo.com accounts are available from merchants foras low as $5 per 1K [26].
Each of these scenarios highlight how the undergroundevolves over time to respond to new defenses. While bleakfrom a defenders perspective, each successive protection in-creases the cost of accounts, cutting into the bottom line ofspam and abuse.
2.3 Privacy and Ethical ConsiderationsPart of our study requires interacting with underground
merchants selling Google phone verified accounts as well as
analyzing registration data tied to abusive signups. We buildon the guidelines originally discussed by Thomas et al. [26]for interacting with the account underground. Prior to ourstudy, we worked with the authors respective institutions aswell as Google to set down a policy for purchasing accounts.We conduct all purchases (which would otherwise violateGoogle’s Terms of Service) with Google’s express permis-sion. Furthermore, even though merchants provide us withpasswords, we never access accounts. Finally, we restrict ouranalysis to merchants who publicly advertise Google phoneverified accounts; we do not purchase accounts beyond thisscope nor attempt to deceive or coerce the merchants in-volved.
3. CAPTURING ABUSIVE ACCOUNTSTo conduct our study, we rely on two sources of phone
verified accounts (PVA): purchased accounts acquired froma cross section of the underground economy and a sampleof abusive accounts disabled by Google for Terms of Serviceviolations related to spam and abuse. We combine these twodatasets to provide insights into the pricing of phone verifiedaccounts as well as to understand the scope of Google phoneverified abuse.
3.1 Purchased AccountsOur purchased account dataset consists of 2,217 PVA that
we buy in July 2013 at the onset of our study and a sec-ond set of 2,478 we purchase at the conclusion of our studyin April 2014. We rely on purchasing to validate the au-thenticity of merchants as well as to understand the marketorganization for phone verified accounts. We provide anoverview of how we identify account merchants, the pricesthey charge, and the duration merchants stockpile accounts.We find that 68% of the accounts we purchase in July are dis-abled by Google’s infrastructure within one month. Giventhis high coverage, we elected not to conduct regular repur-chases and instead concentrate our analysis on PVA disabledby Google throughout our study. We believe this minimizesour financing of underground merchants without sacrificingaccess to a representative sample of PVA abuse. We relyon our second purchase in April 2014 to understand howthe market has adapted, providing a detailed comparison inSection 5. We restrict the remainder of our discussion inthis section to our first purchase set.
3.1.1 MerchantsWe identify a cross section of 14 merchants advertising ac-
cess to Google accounts (among other services) on web store-fronts, blackhat forums, and freelance labor pages. For oper-ational concerns we refrain from documenting the identitiesof the merchants we solicit. Advertisements range in so-phistication from automatically generated accounts with noprofile information to “manually generated” accounts with“real SIM cards” from Eastern Europe which cost substan-tially more. From this bazaar, we elect to purchase 2,217PVA split across 3 merchants on blackhat forums and 4 mer-chants operating their own storefronts in July, 2013. Mer-chants fulfilled all orders in 24-48 hours with working, phoneverified accounts. We provide a summary of these purchasesin Table 1 which we reference throughout this section.
As an extension of purchasing, we also track the pricingof Google PVA (and non-PVA) based on public listings ad-
Asset Price/1K Volume Disabled
Google PVA $85 105 77%Google PVA $100 1,000 89%Google PVA $172 168 100%Google PVA $200 100 0%Google PVA $300 103 11%Google+ PVA $135 81 100%YouTube PVA $95 220 100%YouTube PVA $153 98 5%YouTube PVA $276 192 0%YouTube PVA $300 100 28%YouTube PVA $500 50 0%
Table 1: List of assets we purchase, the associated priceper 1K, the volume we purchase, and whether the accountsare eventually disabled.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ●
$60
$80
$100
$120
$140
$160
Jul Oct Jan Apr
Price
per
Tho
usan
d
Figure 1: Historical pricing data for Google PVA mer-chants from July, 2013–April, 2014. A market wide pricedecrease of 30–40% is visible from November until Februaryfor PVA.
vertised by 6 of the 14 merchants we identify.1 We poll thisdata on a weekly basis from July, 2013 until the conclusionof our study in April, 2014. We rely on this historical pric-ing data to understand the stability of the PVA marketplaceand to understand how price correlates with adaptations inphone verification techniques. When available, we also trackthe prices of Facebook and Twitter PVA accounts which weuse to understand the burden imposed by phone verificationas a general technique.
3.1.2 Account PricingPrices for the accounts we purchase in July, 2013 range
from $85 per 1K at the lowest and $500 at the highest, asdetailed in Table 1. We provide a breakdown of the his-torical prices these and other merchants charge throughoutour study in Figure 1, with prices over $250 omitted forclarity. Prices in this upper bracket were $250, $300, $350,$500, and $600 per 1K accounts. These prices never changedthroughout our monitoring.
Despite a large pool of competing storefronts, we find noevidence of merchants attempting to undercut one anotherby lowering prices. Instead, the cost of Google PVA remainfixed throughout our study, with the exception of a single
1Other merchants rely on email or Skype conversations todetermine up-to-date pricing which precludes passive moni-toring.
Service Reg. Cost PVA Cost Increase
Google $80 $100 1.25xYoutube $270 $349 1.29xYoutube $80 $150 1.875xGoogle $120 $230 1.9xGoogle $80 $500 6.25xFacebook $300 $600 2xFacebook $70 $350 5xFacebook $400 $1800 4.5xTwitter $20 $500 25x
Table 2: Price di↵erence between phone verified and reg-ular accounts for Google, Facebook, and Twitter based onadvertisements from 3 merchants. Despite a wide range ofprices, phone verification tends to impose a 1.25x–6.25x in-crease, with the exception of Twitter at 25x.
market-wide drop lasting November, 2013–February, 2014.During this period, almost all of the merchants we tracked(with the exception of those in the upper bracket) loweredtheir pricing by 30–40% before returning to their previousrate. The correlated behavior of merchants leads us to be-lieve that many storefronts are merely resellers for the samemiscreant in a similar fashion to spam a�liate programs [14].
3.1.3 Cost of Phone VerificationThe primary goal of phone verification is to throttle the
rate miscreants can register fraudulent accounts, and as abyproduct, increase the cost of credentials. While we can-not determine the fees that merchants pay to acquire freshphone numbers, we can measure how merchants pass thesecosts on to blackmarket consumers. Of the merchants wetrack, three simultaneously advertised non-PVA and PVAequivalents for Google as well as Facebook, while one mer-chant advertised access to Twitter non-PVA and PVA. (Wewere unable to find merchants advertising both LinkedIn orCraigslist PVA and non-PVA.) We use these merchants tomeasure the price increase imposed by phone verification.Assuming that merchants rely on the same infrastructureto register PVA and non-PVA, this allows us to isolate theimpact of phone verification from variable merchant sophis-tication and registration safeguards across services.
Table 2 shows the relative price increase underground mer-chants charge for phone verification. While the base priceof accounts are wildly di↵erent between merchants, this in-crease is relatively fixed: 1.25x–6.25x for Google and 2–5xfor Facebook. The 25x increase for Twitter is likely a re-sult of merchants not yet adapting to phone verification onthe service, with PVA accounts emerging only at the endof March, 2014 (a month before our study concluded). Weobserved a similar drastic price di↵erence with the initialrelease of Google PVA in 2012, where prices were 17x theirnon-PVA equivalent. We note that a direct comparison be-tween PVA multipliers is di�cult due to varying service-levelpolicies on the number of accounts that can be associatedwith a single phone or whether certain phone numbers areprohibited as verification endpoints.
We caution there is no indication whether blackmarketconsumers are willing to bare the fees charged by accountmerchants. Equally opaque is whether the price di↵eren-tial between non-PVA and PVA accounts is grounded in thescarcity of phone numbers, demand, or consumer naivety.Consequently, we explore the relation between phone verifi-
cation techniques and market price, particularly during themarket-wide price reduction, further in Section 4.
3.1.4 StockpilingThe freshness of accounts is an important metric for
whether merchants conduct real-time bulk registrations orinstead rely on outdated stockpiles. We measure the ageof the 2,217 accounts we purchase as the delta between thetime we order accounts versus the time merchants registeredthe accounts. Accounts range in age from 1–164 days, withan average age of roughly 27 days. Our results indicatethat merchants are not reliant on old stockpiles, but in-stead have access to recently registered accounts. Pairedwith stable pricing throughout our analysis, this suggeststhat merchants have a regular supply of phone numbers attheir disposal.
3.1.5 Disable RateInactive accounts that merchants stockpile are not im-
mune to abuse detection. We measure the volume of ac-counts per merchant that Google disables (independent ofour purchasing and analysis), shown in Table 1. Overall,Google disables roughly 68% of the accounts we acquirewithin one month of their purchase. We find that cheaperaccounts are more frequently correlated with being caughtand deactivated by Google, indicating that price may havesome bearing on the e↵ort account merchants put into bulkregistering accounts (e.g. limiting the reuse of infrastructureto avoid clustering). For the purposes of our study, the highrecall rate allows us to rely on sampling abusive accountsdisabled by Google without risk of omitting a large mar-ket segment of PVA abuse. We note however that withoutregular repurchases, we cannot guarantee the detection rateremains stable throughout our analysis.
3.2 Abusive AccountsThe bulk of our analysis relies on a retroactive random
sample of 300,000 Google PVA created and disabled forspam and abuse between July, 2013–April, 2014. No ac-count information ever leaves Google datacenters or is ac-cessed in non-aggregate form by external researchers. Foreach of these accounts (as well as our purchased accountdataset), we have access to the registration IP, registrationphone number, and other signals tied to the registrationprocess. We note that due to potential delays in abuse de-tection, we may underestimate the volume of abuse towardsthe tail end of our collection period. We consider this lim-itation whenever we discuss trends in the volume of abuseover time or changes in registration behaviors.
4. ANALYZING ABUSIVE ACCOUNTSA fundamental question of our investigation is the sus-
tainability of phone verification as a defense against bulkaccount creation. We find evidence that phone verified abuseis a persistent threat. To dissect this problem, we analyzethe origin of abusive number and techniques miscreants useto maximize the value they garner from a single phone num-ber. We relate these technical measurements that capturethe complexity of creating phone verified accounts to theprices merchants charge. Finally, we analyze the e↵ective-ness of other registration safeguards including IP reputation,CAPTCHAs, and secondary email addresses.
4.1 Origin of Abusive Phone NumbersWe examine multiple facets tied to the origin of phone
numbers including the country of origin, the carrier provid-ing service, and whether fraudulent accounts are registeredwith collocated IPs and phone numbers. We acquire thesephone signals from an MSISDN2 database used by Googleto map phone numbers to carrier data (including whetherthe number is VOIP). We note that similar databases arepublicly available, though typically for some fee.
4.1.1 Breakdown by CountryWe examine the country code of each phone number as-
sociated with our abusive and purchased accounts to cap-ture which regions serve as the most popular verificationendpoints. We find that the United States is the singlelargest origin of phone numbers, accounting for 27% of abu-sive PVA in our dataset. This is followed in popularity byIndia (22%), Indonesia (12%), Nigeria (4%), South Africa(4%), and Bangladesh (4%), with other regions accountingfor 28% of abuse. We note that receiving an SMS in all ofthese top countries other than the United States is free.
Bulk access to phone numbers in these regions appears tobe a variable process. Figure 2 shows a weekly breakdownof the top six countries serving as verification endpointsthroughout our study. Phones from India, while prevalentat the onset of our measurement (contributing nearly 40% ofnew PVA), has fallen o↵ in favor of Indonesia. In contrast,phones from the United States dominate 60% of new PVAregistrations from October–February. This period overlapswith the drastic price reduction we observe from November–February, a phenomenon we explore further in the next sec-tion.
For the accounts we purchased at the onset of our study,97% were verified with phone numbers from the UnitedStates while 3% were associated with numbers from Ukraine.We find that only one of the 7 merchants we solicit rely onnon-US numbers. If we examine pricing based on the re-gion that phones numbers originate from, merchants appearto charge arbitrarily for accounts verified with US numbers.Such accounts range $85–300 per 1K accounts, while the solemerchant verifying accounts from Ukraine charged $500 per1K. Our findings indicate that the origin of phone numbersalone cannot explain the cost of an account or why certainmerchants are more likely to have their stockpiles disabled.
4.1.2 Breakdown by CarrierWe further subdivide countries based on the abused car-
riers operating in each region, the results of which we showin Table 3. Bandwidth.com—a VOIP provider in the UStied to multiple free telephony services including Pinger andGoogle Voice [3]—represents the single largest gateway forabuse. This is followed in popularity by a multitude of mo-bile carriers predominantly operating out of India and In-donesia. We evaluate each of these verification approachesseparately.
VOIP Abuse: VOIP in particular poses a significant threatto the intended cost of phone verification. Services such asPinger [18] and TextPlus [24] allow new customers to regis-ter for a free, SMS-receivable number in exchange for solvinga CAPTCHA or email verification challenge. Such resources
2An MSISDN is the unique international representation ofa phone number which is associated with a SIM card.
●●●●●●●●●●●●
●●
●●●●●●●●●●●●●●●●●●●●●●●●●●
0%
20%
40%
60%
Jul Oct Jan AprRegistration Date
Wee
kly P
erc.
of A
busiv
e PV
A
country ● BD ID IN NG US ZA
Figure 2: Weekly breakdown of the top 6 country codesassociated with abused phone numbers. The most popu-lar origins of numbers are the United States (US), India(IN), Indonesia (ID), Nigeria (NG), South Africa (ZA), andBangladesh (BD).
are cheaply available from the underground as we previouslydiscussed in Section 2. Similarly, services such as GoogleVoice allow miscreants to convert an existing phone num-ber (including US VOIP numbers) into multiple new phonenumbers. This creates an abuse multiplier that allows mis-creants to amortize the cost of the original phone numberseed as well as mask the original carrier. All of these servicesare available online, opening up the possibility for miscre-ants to scrape page content to automate SMS verificationchallenges. In total, 24% of all abusive PVA in our datasetwere verified with VOIP numbers.
The merchants we solicit readily exploit cheap VOIP num-bers to circumvent the intended cost of phone verification.Of the accounts we purchased, 97% were verified via num-bers tied to a mixture of VOIP providers including Band-width.com, Level 3, and Telengy. This trend is also repre-sented in Figure 2 where 94% of all US numbers used toverify accounts between October–January were VOIP. Thedecrease in US phone numbers after January is the resultof Google penalizing new registrations tied to frequentlyabused US VOIP providers. This confluence of events cor-relates with the 30–40% price drop in accounts that we ob-serve from November–February after which prices returnedto their normal levels. While we cannot provide definitiveproof, our results suggest that market prices can serve as anindicator of the underlying performance of abuse safeguards.
Mobile carriers: VOIP numbers alone do not explain theentire phone verified abuse ecosystem; a second substantialcomponent is fueled by mobile carriers tied to India andIndonesia including PT, Bharti, and Vodafone. Our un-derstanding of how miscreants acquire phone numbers fromthese regions and subsequently respond to SMS challenges isless clear than VOIP. Anecdotally, when we conducted oursearch to identify merchants selling PVA, we also encoun-tered an underground market segment surrounding verifica-tion as a service. Sites such as http://sms-area.org adver-tise automated APIs for phone verifying Vkontakte, Google,and Facebook accounts. Prices for these services are as low
Rank Carrier Country Popularity
1 Bandwidth.Com US 19.91%2 Pt ID 7.29%3 Bharti IN 5.31%4 Vodafone IN 4.04%5 Mtn NG 2.99%6 Idea IN 2.79%7 Telekomunikasi ID 2.23%8 Aircel IN 2.11%9 Tata IN 1.87%10 Viettel VN 1.71%11 Reliance IN 1.71%12 Mtn ZA 1.52%13 Gramenphone BD 1.51%14 Vodacom ZA 1.29%15 Bsnl IN 1.28%16 Excelcom ID 1.16%17 Hutchison ID 0.95%18 Level 3 US 0.86%19 Cell ZA 0.84%20 Telengy US 0.81%
- Other - 37.80%
Table 3: Top 20 carriers used by abusive phone verified ac-counts. Verification challenges are predominantly sent overVOIP or to a concentrated set of carriers in India and In-donesia.
as $140 per 1K verification codes for mobile (non-VOIP)numbers originating from Russia, Kazakhstan, and Belarus.Similarly, miscreants can acquire SIM cards in bulk. We seeresellers advertising prices of $140–420 per 1K SIM cardsfor Russian carriers such as Beeline, MTS, and MegaFon.While we can only speculate, discussions we observe on un-derground forums suggest that workers manually respond toverification challenges using modified cell phones to simplifycycling through SIM cards. This reflects related strategiesfor CAPTCHA solving that rely on manual laborers oper-ating out of India and Indonesia as discussed in Section 2.
4.1.3 Collocation of Phones and IP AddressesOne potential measurement of the validity of a newly reg-
istered PVA is the collocation of a phone’s country of originand the geolocation of the IP address a miscreant uses toregister the account. Figure 3 shows a weekly breakdownof the six most popular IP geolocations tied to signups at acountry granularity. We find that trends in IP geolocationnearly mirror that of phone origins (previously presented inFigure 2). The exception to this trend is the decreased popu-larity of US IP addresses, which may be a direct consequenceof the di�culty of purchasing hosts in the US from the pay-per-install market [5] or the respective cost of freelance laborin the US compared to other regions. Quantitatively, 60%of abusive accounts in our dataset share the same IP andphone origin, while the same is true for only 33% of pur-chased accounts. This deviation for purchased accounts is aconsequence of the majority of phone numbers coming fromthe United States while IPs originate in India, a trend thatis also reflected in Figure 3 for abusive accounts back inJuly. Our results indicate that miscreants bulk registeringPVA take care to mimic the expected behavior of legitimateregistrations beyond avoiding clustering.
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●0%
20%
40%
60%
Jul Oct Jan Apr
Wee
kly P
erc.
of A
busiv
e PV
A
country ● BR ID IN US VN ZA
Figure 3: Geolocation of IPs related to abusive signups.The most frequent source of abusive IPs mirrors that of abu-sive sources of phone numbers.
4.2 Lifecycle of a Phone NumberMiscreants have a multitude of strategies for how they
leverage SMS access once acquired. We measure the numberof accounts that miscreants associate with the same phonenumber, estimate the duration miscreants control phonenumbers, and identify whether miscreants opt for SMS orvoice challenges.
4.2.1 Phone ReuseMiscreants can reuse a phone number multiple times to
amortize the cost of acquiring access to a VOIP numberor SIM card. For each phone numbers in our abusive ac-count sample we calculate the total number of all registeredaccounts that share the same number, regardless if Googledisabled those accounts for abuse. We repeat this processagain for phone numbers tied to purchased accounts. Toserve as a comparison, we also obtain re-use statistics tiedto a random sample of 300,000 benign phone numbers (pro-vided by Google). Figure 4 shows a summary of our results.
We find that 36% of numbers associated with abusive ac-counts are unique. This results in a skewed distribution,where the top 10% of phone numbers (ranked by popular-ity) are used to register 23% of accounts. A similar resultappears for numbers tied to purchased accounts where only13% of numbers are unique and the top 10% of numbersare used to create 25% of accounts. In total, phone clustersof size 5 or greater contain 58% of abusive accounts. Asa result, a safeguard that restricts the number of accountsmiscreants can associate with a single phone number canhave a substantial impact on the volume of phone numbersrequired to sustain PVA abuse while having little impact onlegitimate users.
4.2.2 Phone Access LifetimeDuring our investigation of the underground we found that
blackmarket merchants o↵ering SMS as a service frequentlyadvertised a limited window of availability—clients wouldreceive access to a number for 30-90 days, after which thatnumber would no longer be accessible. We estimate the life-
●
●
●
●
● ● ● ● ● ●
25%
50%
75%
100%
1 3 5 7 9Number of accounts sharing phone number
Perc
enta
ge o
f num
bers
label ● abusive benign purchased
Figure 4: CDF of the size of account clusters all verifiedwith the same phone number.
●●●●●●●●●●●●●●●●●●●●●
●●
●●
●●
●●●●●●
0%
25%
50%
75%
100%
1 60 1440 40320Lifetime of phone number (minutes)
Perc
enta
ge o
f num
bers
label ● abusive benign purchased
Figure 5: CDF of time between successive account regis-trations sharing the same phone number.
time that miscreants control a number as the time betweenits first use to its last use within our measurement window,restricting our analysis to numbers used at least five times.This timestamp is determined based on the creation time ofan account. Our results are shown in Figure 5.
We find that 62% of phone numbers tied to abusive PVAhave a lifetime of only 1 hour. Similarly, 55% of phones tiedto purchased accounts have a lifetime of only 1 hour and76% less than a day. This indicates that once miscreantsacquire a phone number, there is a high velocity period ofabuse, after which the phone number is never used again.Consequently, blacklisting an individual phone number uponan abuse report is ine↵ective at preventing future abuse ifthe delay between an account’s creation and deactivation isgreater than a day.
Defenders can leverage this short lifetime to their advan-tage. Miscreants that purchase accounts from the under-ground have no means to re-verify access to a phone numberonce the account transfers hands. Similarly, merchants thatbulk generate thousands of accounts would need to catalogand retain the VOIP number or SIM card used to verify eachaccount, something that may be impossible. We explore howservices can perform re-verification without increasing fric-tion on legitimate users further in Section 6.
4.2.3 Verification Challenge TypeWhen miscreants verify fraudulent PVA they can opt to
receive challenge codes via SMS or voice. We find that 90%of abusive accounts rely on SMS codes, while the same istrue for 85% of purchased accounts. This holds for benignaccounts as well where users verify their phone 94% via SMS.We find that the verification method miscreants use is inde-pendent of whether they rely on VOIP or mobile numbers.The exception to this rule is PT in Indonesia; 31% of ver-ification codes served through this carrier were conductedover voice. This further suggests that human verifiers mayrespond to challenges from this region, though we note thatvoice transcription software is an alternative explanation.We cannot draw any conclusion as to how SMS codes frommobile phones are recovered, though we note that VOIPservices such as Google Voice digitize text messages thatmiscreants can scrape.
4.3 Alternative Account ChallengesPhone verification is one layer in a set of successive
challenges miscreants must pass in order to register anew account. These other challenges include IP signals,CAPTCHA solving, and providing a secondary email. Webriefly examine how miscreants circumvent each of thesemeasures. When possible, we compare our results to those ofthe Twitter account market examined by Thomas et al. [26]to determine whether merchant techniques for bulk registra-tion generalize across services.
4.3.1 IP DiversityMiscreants rely on IP addresses from India (32%), the
United States (19%), Indonesia (11%), Vietnam (2%), anda range of other countries to register abusive PVA. Our pur-chased accounts were registered via IPs exclusively from In-dia (70%) and the United States (30%). In contrast, miscre-ants targeting Twitter relied on a much more diverse rangeof countries; India, the most popular region, accounted foronly 8% of abuse [26]. We believe this di↵erence stems di-rectly from miscreants relying on IP addresses collocatedwith phones, as previously discussed in Section 4.1.
Once miscreants have access to an IP they register tensto hundreds of accounts from that portal. Figure 6 showsa breakdown of IP reuse amongst abusive, purchased, anda random sample of benign accounts. The merchants wepurchase from clearly restrict the number of accounts theyregister from a single IP. Other miscreants bulk registeringaccounts are not so cautious. Nevertheless, IP reuse is nota foolproof signal; benign accounts are frequently registeredvia the same IP due to NATing and mobile tra�c.
4.3.2 CAPTCHA SolvingWe find that CAPTCHAs are a minor roadblock in the
account creation process. In total, 56% of abusive accountssolved a CAPTCHA. Miscreants solved these CAPTCHAscorrectly 96% of the time. This accuracy is a strong indi-cation of human solvers based on the results of Motoyamaet al. [15], though it may be possible that OCR CAPTCHAsolving has vastly improved since then. Our findings di↵erfrom Thomas et al. [26] where the majority of Twitter ac-count merchants relied on what appeared to be automatedsolvers with roughly 7% accuracy. We cannot directly mea-sure the time it takes miscreants to solve a CAPTCHA.However, we can estimate the overall time it takes miscre-
●●●
●●
●●●●
●●●●●●●●●●●●●
●●●●●
●●
●●
0%
25%
50%
75%
100%
10 1000Number of accounts registered with same IP address
Perc
enta
ge o
f IPs
label ● abusive benign purchased
Figure 6: Reuse of IP addresses for registering accounts.
ants to register a new account. We find it takes a median of1.86 minutes from the time Google displays a signup form tothe time miscreants submit a response. In contrast, benignregistrations take a median of 3.36 minutes. This overalltiming yields little signal into the abusiveness of a newlyminted account. It is likely miscreants purposefully delaytheir automation speeds to avoid rudimentary timing detec-tion.
4.3.3 Secondary Email AddressGoogle allows new accounts to associate a secondary email
for recovery purposes. While not required, we find that 83%of purchased accounts and 34% of abusive accounts providea secondary email. A breakdown of the most popular emailproviders tied to abusive accounts is shown in Table 4. Weobserve that 52% of abusive PVA list a second Gmail addressas a recovery email. For purchased accounts (not shown inthe Table), 57% use a secondary Gmail address. The remain-ing 43% of accounts use Hotmail.com, one of the cheapestemails on the underground that we observe merchants sell-ing for $5 per 1K. Apart from an increased prevalence ofGmail addresses, the most popular email providers are iden-tical to those abused by Twitter account merchants with theexception of redi↵mail.com [26].
The frequency of Gmail recovery addresses amongst bulkgenerated accounts is a result of email chaining where mis-creants specify a recovery address tied to a previously gen-erated account they control. We build a graph of all email-secondary email pairs and find that 95% of accounts wepurchased share a link with another purchased accounts.Miscreants form chains that are 2–4 accounts long beforeforming a cycle with the start of the chain. We note thatforming a cycle is possible because secondary addresses arenot validated on signup. This practice removes any cost as-sociated with merchants purchasing secondary emails whileproviding a credible veneer in the event recovery emails arefactored into spam analysis.
5. REVISITING THE UNDERGROUNDFollowing the conclusion of our market and abuse mon-
itoring in April, 2014, we revisit the underground mer-chants we originally solicited to procure a fresh set of 2,478Google PVA. We use these accounts to independently verifythe long-term impact of Google’s penalization of frequentlyabused carriers in January, 2014 (discussed in Section 4.1).
Rank Email provider Popularity
1 gmail.com 52%2 redi↵mail.com 10%3 yahoo.com 10%4 hotmail.com 6%5 mail.com 2%
- Other 19%
Table 4: Top 5 email providers used as recovery addressesfor abusive PVA.
Of the accounts we purchase, 29% are stale accounts regis-tered back in mid-October, 2013 while the remaining 71%are fresh accounts created in mid-April, 2014. We discussthe implications each set has on our understanding of theaccount blackmarket and abusive phone verification.
Stale Accounts: Merchants providing stale PVA are stillliquidating stockpiles they generated during the period oframpant VOIP abuse. All of the accounts in this set werephone verified via Bandwidth.com, re-a�rming our findingspresented in Section 4.1. Even though old stockpiles are reg-ularly disabled (discussed in Section 3), we find that mer-chants are still able to retain some operational credentials.The presence of such accounts also suggests a lack of liquid-ity in the market; merchants have held on to accounts for 6months without sale. One potential explanation is consumerskepticism on the merchant’s credibility or the exorbitantfees they charge.
Fresh Accounts: Merchants providing fresh PVA haveadapted to the new phone verification requirements imposedby Google. Of fresh accounts, only 12% were verified viaBandwidth.com—an evolution we see mirrored at the endof our analysis in April. Instead, merchants verify 74% ofPVA with a previously unobserved US carrier that is likely aVOIP provider and 9% from a carrier related to TextMe (anAndroid and iOS VOIP app) which we previously observed.Our results highlight the resilience of the underground tointervention. Nevertheless, we believe that if services forcemerchants away from VOIP it will in turn raise the opera-tional costs of miscreants and ultimately cut into the prof-itability of spam and abuse.
Noticeably absent in our fresh account sample are anyphones tied to carriers in India or Indonesia as we see in ourabusive dataset. This may reflect a limitation in our cover-age of the underground market or alternatively indicate thatsome spammers are vertically integrated and beyond our ac-cess. As such, while we believe that underground infiltrationprovides an invaluable oracle into the performance of abusesafeguards, it should be supplemented with service-side datato provide a dual perspective on abuse.
6. ADAPTING PHONE VERIFICATIONWe distill our underground market analysis of PVA abuse
into a set of recommendations and best practices for servicesreliant on phone verification. While our perspective of PVAabuse is limited to Google, we believe the threats we iden-tify are fundamental to phone verification and thus applyoutside its confines. We also take a moment to discuss openchallenges for phone verification services moving forward in-cluding resource exhaustion attacks and the potential forcompromised phones.
6.1 Restricting Phone NumbersThe long term validity of phone verification hinges on ser-
vices enforcing the scarcity of phone numbers as an under-ground resource. To satisfy this requirement, we proposetwo solutions: a carrier reputation system which tracks themost frequently abused telephony providers at a coarse leveland phone reputation that provides fine-grained abuse in-formation related to phone numbers, similar to existing IP,domain, and social reputation systems [1, 12,13,28].
6.1.1 Carrier ReputationAs our analysis shows, account merchants gravitate to-
wards free or inexpensive regional telephony carriers for thebulk of their phone numbers. If we examine the aggregatecontributions of carriers ranked by popularity–shown in Fig-ure 7–we find miscreants verify 20% of all abusive PVA froma single carrier and 50% of PVA from the top 10 carriers.Blacklisting carriers outright (with the exception of VOIP)is not an option. Table 5 shows a breakdown of the top 10carriers tied to PVA abuse and the fraction of all accountsverified via those carriers that are considered legitimate byGoogle (e.g. not disabled). Only Bandwidth.com, the VOIPprovider we saw a�liated with rampant abuse, has a low rep-utation. All other carriers are popular amongst legitimateusers.
An alternative to blacklisting is to adaptively throttlethe number of accounts that can be tied to a single phonenumber on a per-carrier basis. While there are legitimateusers who rely on re-using phone numbers (discussed in Sec-tion 4.2), phone verification services can strike a balancebetween user friction and abuse prevention. In particular,services can restrict phones tied to frequently abused carriersto a one-to-one mapping between accounts and phone num-bers, forcing miscreants to acquire more numbers. Othercarriers would default to a many-to-one allowance. Carrierreputation scores can also be considered as a factor into ma-chine learning risk evaluations tied to new registrations.
This same system can outright block mobile and VOIPservices (if appropriate) when the threshold of abusive ac-counts drops below an acceptable level. While miscreantsmay spread their verification endpoints over multiple carri-ers, this forces criminals to pay higher fees. Craigslist hastaken a similar policy to the extreme, blacklisting all VOIPand non-US numbers as verification endpoints [6]. Thisstrategy has kept Craigslist PVA at a price of $3.50–$5 peraccount (as advertised by account merchants), though it pre-cludes a global user bases. Carrier reputation services cur-rently exist from Telesign and Pindrop, though the method-ology or accuracy of these systems is not public.
6.1.2 Phone ReputationWhere carrier reputation can help throttle the creation
rate of PVA, phone reputation can outright block abusiveregistrations. The primary challenge of phone reputation isthe velocity of abuse. As we discussed in Section 4.2, 62% ofphones used to verify abusive accounts have a lifetime un-der one hour. Consequently, if abuse reports cannot flag aphone number in time, the window for a reputation systemto impact abuse will have passed. One option is for servicesto restrict the velocity of new registrations tied to the samephone number (e.g. forcing users to wait a period beforea phone number is re-usable), but this o↵ers no protectionif numbers are single-use. This benefit could be expanded
20%
40%
60%
80%
100%
10 1000Number of Carriers
Perc
enta
ge o
f Abu
sive
PVA
Figure 7: Aggregate contribution of fraudulent PVA ofcarriers ranked by popularity. Miscreants use the top carrierto verify 20% of all abusive PVA and the top 10 to verify50% of PVA.
Rank Carrier Country % Good
1 Bandwidth.com US 41%2 Pt ID 91%3 Bharti IN 98%4 Vodafone IN 98%5 Mtn NG 97%6 Idea IN 98%7 Telekomunikasi ID 99%8 Aircel IN 98%9 Tata IN 98%10 Viettel VN 99%
Table 5: Top 10 carriers used by abusive phone verifiedaccounts and their respective reputations. Blacklisting car-riers outright would impact a disproportionate number oflegitimate users.
by services sharing abuse information which would preventverification as a service merchants (discussed in Section 4.1)from registering multiple accounts cross-service with a sin-gle phone number. We also believe that phone reputationcan become a predictive score that assesses the risk of apreviously unseen phones tied to newly registered account.Potential features include the sequentiality of phone num-bers and whether the phone number has appeared in othercontexts before. We leave such a system for future work.
6.1.3 Phone ReverificationThe relatively short lifetime of phone numbers—a median
of less than 1 hour in our analysis—raises the potential fordefenders to re-verify phone numbers as an e↵ective abuseescalation. By limiting re-verification as a response to sus-picious activity (e.g. sending an abnormal number of email;rapidly subscribing to hundreds of YouTube channels), le-gitimate users will avoid the friction imposed by phone ver-ification. Conversely, miscreants who purchased accountswill not have access to the original phone number tied to anaccount after it changes hands. Similarly, spammers thatare vertically integrated and register their own credentialsmust retain access to thousands of SIM cards, somethingthat may not be possible if miscreants rely on verificationas a service merchants. This adds yet another dimension tothe complexity of circumventing phone verification, where
duration of access becomes just as important as the quan-tity of phone numbers miscreants can draw from. We notethat Facebook may already rely on this practice based onchatter from underground forums, but cannot confirm.
6.2 Open Challenges
6.2.1 Phone ChainingWhen miscreants abuse free call forwarding services such
as Google Voice, they must register a phone number to serveas the forwarding endpoint. While this initial number isintended as a safeguard—similar to email verification or aCAPTCHA—the existence of other free (virtual) numbersovercomes this protection. This is exacerbated by the po-tential many-to-one relationship between seed numbers andnumbers handed out by forwarding telephony services. Thisleads to a vulnerability we call phone chaining. In particular,miscreants can use a single free mobile number or free VOIPnumber that fans out to multiple free forwarding numbers.These in turn can serve as forwarding endpoints at otherservices, with miscreants repeating the process ad nauseamto create an arbitrarily sized tree of phone numbers for veri-fication purposes. Even if virtual number providers preventchaining between their own phone number pool, miscreantscan obfuscate the original identity of a number by cyclingthrough multiple forwarding services for each level of thetree. Absent a comprehensive forwarding blacklist—whichis di�cult to acquire due to phone ranges constantly chang-ing hands and limited opacity into phone ownership—thereis nothing to prevent this practice. An alternative is to havetelephony services charge for forwarding numbers, but globaladoption is required to prevent miscreants from constantlyshifting their operations to free providers.
6.2.2 Resource Exhaustion AttacksPhone verification is not free. Services must pay a fee
for each attempted SMS or phone challenge. The cost ofphone verification exposes services to resource exhaustionattacks. Miscreants can request thousands of spurious ver-ification codes for non-existent numbers or phones tied tolegitimate victims (who may in turn be charged a deliveryfee). Assuming a fixed daily budget, a fail-open system willallow miscreants to bypass phone verification all together;a fail-closed system will block legitimate users from regis-tering new accounts. This challenge also exists for emailverification—services that generate excessive bounce notifi-cations expose themselves to throttling on the receiving endthat can degrade the delivery rate of important messages.While services can perform a risk analysis for each new reg-istration attempt and block suspicious registrations before aSMS challenge is sent, we view resource exhaustion attacksas an open challenge.
6.2.3 Compromised PhonesThe widespread adoption of Android and iOS devices car-
ries with it an emerging risk of mobile malware [8]. In-stances already exist of the Zeus banking trojan interceptingtwo-factor authentication PINs for liquidating a victim’s as-sets [27]. Other threats include mobile drive-by-downloadsinstalling the NotCompatible malware family that convertsa victim’s phone into a mobile proxy [19]. While we find noevidence of miscreants using compromised phones as ver-ification endpoints, there is no reason that compromised
phones will not become a commodity market like compro-mised hosts [5]. This possibility undermines the longtermsustainability of phone verification and any protection pro-vided by carrier-level reputation. Similarly, it forces phonereputation systems into a reactive position, e↵ectively be-coming phone blacklists much like existing IP and DNSblacklists [21].
7. RELATED WORKMonetizing Account Access. Miscreants leverage bulkregistered accounts to expose legitimate users to spam,phishing, and malware [9, 11]. At its heart, a substantialamount of spam serves to advertise products and lure peopleto purchase pharmaceuticals, replica goods, and counterfeitsoftware, often with the aid of complex infrastructure man-aged by a�liates and a�liate programs [14]. Recent alter-natives in monetization include ad syndication services andad-based URL shortening [25]. These examples highlightthe range of strategies that miscreants employ to generate aprofit once they gain access to account credentials.
Reputation Systems. Reputation is commonly used toprevent or limit abuse of web services. One technique, withroots in email spam filtering, is the use of IP addresses forreputation [13]. Using IP reputation enables a web serviceto quickly score actions and label them as abusive or benign.IP reputation can become error prone and new techniqueshave been developed for evaluating IP address ranges thatare populated with a mix of benign and abusive actions [13].Approaches to reputation have also evaluated automatedscoring using network-level features [12]. In addition to IPaddresses, other forms of reputation are used to label do-mains [4], and accounts on web services by leveraging theobserved actions of existing users to vet new accounts [28].Phone reputation over voice has also been explored based onaudio features introduced by telephony networks [2], thoughsuch features do not extend to numbers used purely for SMS.
Applications of Phone Verification. In addition to pre-venting fraudulent account registration, SMS and phone ver-ification is used broadly to prevent account hijacking. Onewidely deployed use is two-factor authentication for onlinebanking. With SMS two-factor, a one-time code is sent viaSMS and used along with the username and password tologin [20]. Even two-factor authentication is not withoutvulnerabilities, and criminals have used malware to inter-cept SMS messages on the target phone [10, 20]. Similar totwo-factor authentication, other uses for phone verificationinclude account recovery, and as an informational channelto alert users of changes to their account.
8. CONCLUSIONIn this paper, we presented a longitudinal study of the
underlying technical and financial factors influencing the di-minishing e↵ectiveness of phone verification. To conduct ourstudy, we combined underground intelligence gleaned from4,695 phone verified accounts purchased from 14 blackmar-ket merchants as well as 300,000 phone verified accountsdisabled by Google for spam and abuse. We found thatmerchants were capable of registering a steady stream ofthousands of PVA that subsequently sold for $85–$500 per1K to the underground. Many of these merchants appearedto operate in a fashion similar to spam a�liate programs,
reiterating that specialization with the underground ecosys-tem is the norm. We found that merchants used inexpensiveVOIP numbers to circumvent the intended cost of acquiringSIM cards, e↵ectively invalidating the defense provided byphone verification. As this practice became a widespread,we observed a simultaneous market-wide price drop of 30–40% for Google PVA until Google penalized verificationsfrom frequently abused phone carriers. Our results high-light how blackmarket monitoring can provide an invaluableoracle into the performance of abuse safeguards. This infor-mation vastly simplifies the task of defenders keeping pacewith evolutions of the underground, in turn better protect-ing users against spam and abuse.
9. ACKNOWLEDGMENTSThis work was supported in part by the National Science
Foundation under grant 1237265 and 1237076, by the Of-fice of Naval Research under MURI grant N000140911081,and by a gift from Google. Any opinions, findings, and con-clusions or recommendations expressed in this material arethose of the authors and do not necessarily reflect the viewsof the sponsors.
10. REFERENCES[1] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and
N. Feamster. Building a dynamic reputation systemfor dns. In Proceedings of the USENIX SecuritySymposium, pages 273–290, 2010.
[2] V. A. Balasubramaniyan, A. Poonawalla, M. Ahamad,M. T. Hunter, and P. Traynor. Pindr0p: usingsingle-ended audio features to determine callprovenance. In Proceedings of the 17th ACMconference on Computer and communications security,pages 109–120. ACM, 2010.
[3] Bandwidth.com. Who we are.http:// bandwidth.com/about-us, 2014.
[4] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi.EXPOSURE: Finding Malicious Domains UsingPassive DNS Analysis. In NDSS, 2011.
[5] J. Caballero, C. Grier, C. Kreibich, and V. Paxson.Measuring Pay-per-Install: The Commoditization ofMalware Distribution. In Proceedings of the USENIXSecurity Symposium, 2011.
[6] Craigslist. How does phone verification work? http://www.craigslist.org/ about/ help/ phone verification,2014.
[7] V. Dave, S. Guha, and Y. Zhang. Measuring andFingerprinting Click-Spam in Ad Networks. InProceedings of the ACM SIGCOMM. ACM, 2012.
[8] A. P. Felt, M. Finifter, E. Chin, S. Hanna, andD. Wagner. A Survey of Mobile Malware in the Wild.In Proceedings of ACM Workshop on Security andPrivacy in Smartphones and Mobile Devices, 2011.
[9] H. Gao, J. Hu, C. Wilson, Z. Li, Y. Chen, and B. Y.Zhao. Detecting and Characterizing Social SpamCampaigns. In Proceedings of the 10th ACMSIGCOMM conference on Internet measurement, 2010.
[10] L. Goddard. Researchers discover five new samples ofzitmo malware for android and blackberry.http://www.theverge.com/2012/ 8/ 8/ 3227638/zitmo-malware-android-blackberry-samples, August2012.
[11] C. Grier, K. Thomas, V. Paxson, and M. Zhang.@spam: The Underground on 140 Characters or Less.In Proceedings of the ACM Conference on Computerand Communications Security (CCS), 2010.
[12] S. Hao, N. A. Syed, N. Feamster, A. G. Gray, andS. Krasser. Detecting Spammers with SNARE:Spatio-temporal Network-level Automatic ReputationEngine. In USENIX Security Symposium, volume 9,2009.
[13] C.-Y. Hong, F. Yu, and Y. Xie. Populated IPAddresses: Classification and Applications. InProceedings of the 2012 ACM Conference onComputer and Communications Security, 2012.
[14] K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright,M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich,C. Kreibich, H. Liu, et al. Click trajectories:End-to-end analysis of the spam value chain. InProceedings of IEEE Security and Privacy, 2011.
[15] M. Motoyama, K. Levchenko, C. Kanich, D. McCoy,G. M. Voelker, and S. Savage. Re:Captchas-understanding captcha-solving services in aneconomic context. In Proceedings of the USENIXSecurity Symposium, 2010.
[16] Pew Research. Emerging nations embrace internet,mobile technology.http://www.pewglobal.org/ 2014/ 02/ 13/emerging-nations-embrace-internet-mobile-technology/ ,2014.
[17] Pew Research. Mobile technology fact sheet.http://www.pewglobal.org/ 2014/ 02/ 13/emerging-nations-embrace-internet-mobile-technology/ ,2014.
[18] Pinger. Free unlimited texting to 35 countries fromyour computer. https://www.pinger.com/ content/text-from-your-computer/ , 2014.
[19] F. Ruiz. Android notcompatible looks like piece of pcbotnet. http:// blogs.mcafee.com/mcafee-labs/androidnotcompatible-looks-like-piece-of-pc-botnet ,2012.
[20] B. Schneier. Two-Factor Authentication: Too Little,Too Late. 2005.
[21] S. Sinha, M. Bailey, and F. Jahanian. Shades of grey:On the e↵ectiveness of reputation-based “blacklists”.In Malicious and Unwanted Software, 2008.
[22] B. Stone-Gross, R. Abman, R. A. Kemmerer,C. Kruegel, D. G. Steigerwald, and G. Vigna. TheUnderground Economy of Fake Antivirus Software. InEconomics of Information Security and Privacy, 2013.
[23] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert,M. Szydlowski, R. Kemmerer, C. Kruegel, andG. Vigna. Your Botnet is My Botnet: Analysis of aBotnet Takeover. In Proceedings of the ACM CCS,pages 635–647. ACM, 2009.
[24] Text+. Free text to anyone in the us or canada.http://www.textplus.com/ , 2014.
[25] K. Thomas, C. Grier, V. Paxson, and D. Song.Suspended Accounts In Retrospect: An Analysis ofTwitter Spam. In Proceedings of the InternetMeasurement Conference, November 2011.
[26] K. Thomas, D. McCoy, C. Grier, A. Kolcz, andV. Paxson. Tra�cking Fraudulent Accounts: The Roleof the Underground Market in Twitter Spam and
Abuse. In Proceedings of the USENIX SecuritySymposium, 2013.
[27] TrendMicro. Zeus now bypasses two-factorauthentication. http:// blog.trendmicro.com/trendlabs-security-intelligence/zeus-now-bypasses-two-factor-authentication/ , 2013.
[28] Y. Xie, F. Yu, Q. Ke, M. Abadi, E. Gillum,K. Vitaldevaria, J. Walter, J. Huang, and Z. M. Mao.Innocent by Association: Early Recognition ofLegitimate Users. In Proceedings of the 2012 ACMconference on Computer and communications security,2012.