Shulou(Shulou.com)06/01 Report--

To download the full version of PDF "2015 data risk Control Annual report", please click here

Chapter I Review of data risk Control in 2015

With the rapid development of e-commerce, online games and Internet finance in 2015, various start-ups acquire users and cultivate their consumption habits through subsidies in the form of activities, but high subsidies and concessions also give birth to a "black industrial chain". The group composed of "scalpers", "code players" and "econnoisseur" has formed a specialized organization with more than one million employees, and there is a clear division of labor within them. Seriously damaged the purpose of commercial activities, embezzled hundreds of millions of activity funds, so that normal users can not enjoy the direct benefits of activities, these behaviors are only one step away from fraud.

Cyber crime in 2015 has also become more professional, large-scale and organized. There were more than 20 major security accidents caused by information leakage in various industries at home and abroad, and the number of users with account risk exceeded 1 billion.

While the Internet changes traditional business, it also fundamentally changes malicious acts and even crimes that obtain benefits by means of fraud and theft, and makes use of the ability of Internet distributed information to be shared synchronously, so that participants in the "underground industry" can communicate with each other in real-time, multi-party and multi-angle. This kind of network and coordination is the biggest advantage over the traditional crime chain. In addition to professional "* *" and "scalpers", this network also connects ten thousand times the peripheral members. What they do is only "code", "text message", false transactions, unrealistic comments, easy profits.

Chapter II Analysis of the Black Industry chain of Internet Services

At present, the daily trading volume of the underground industry can reach hundreds of millions, but this is only the tip of the iceberg. The iceberg is more complex and hidden, the overall scale of the underground industry is difficult to estimate, and its unknown capacity is even more frightening.

2.1 Overview of Black Industry chain

The underground industry now has a very mature business operation model, and the industrial chain is complex, hidden and efficient, which is a closely integrated complex chain.

It is a basic link in the upper reaches of the industrial chain, which undertakes the responsibility of mining, production and supply, supporting many types of network underground industries and providing them with important data. The upstream of the underground industry includes the provision of CAPTCHA identification services, mobile CAPTCHA service platforms, automated software tools, and social work libraries that provide identity information and accounts for the production of raw materials for the underground industry.

The middle reaches is a network account provider and transaction exchange platform, which acts as an account producer and a variety of service providers in the industrial chain, and is a bridge between upstream and downstream.

The downstream of the industrial chain is mainly the use of abnormal network accounts to carry out fraud, theft, brushing and other malicious acts of gangs, they rush in the forefront, face-to-face confrontation with network users, bringing direct loss of interests to users.

Fig. 1 panoramic view of network black industry chain

The underground industry personnel are mainly men aged from 17 to 21, mainly distributed in Jiangsu, Guangdong, Zhejiang, Shandong and other coastal provinces, which is also in line with the level of economic development and population intensity distribution.

Fig. 2 Top regional distribution of employees in underground industry

Compared with 2014, the total income of the underground industry this year is 100 billion, the total income of the underground industry related to the mobile CAPTCHA platform is the highest, and the per capita income of the underground industry related to the brushing platform is the highest.

The underground industry has professional capacity, 100% energy input, complete industrial chain structure and division of labor, and a variety of advanced testing tools, but enterprises or developers do not have the corresponding security experience, energy and time to invest in security, resulting in a war between them without gunpowder smoke and disparity in strength.

Fig. 3 A war of great disparity between enterprises and developers and the underground industry

2.2 Upstream of underground industry: coding platform, mobile verification code platform, underground industry software

1. Coding platform (picture CAPTCHA platform)

Many websites use image CAPTCHA to identify machine behavior and intercept abnormal requests. Therefore, the coding platform has become one of the necessary modules for most underground industry software, providing an interface for underground industry software and breaking through the picture verification code set by the website to identify machine or human behavior.

Low-income personnel of underground industrial organizations can easily bypass the prevention and control of picture verification codes on the coding platform for human flesh identification pictures (each costs only 0.001 to 0.25 yuan). In 2015, the number of top-up customers of the coding platform increased by 27% compared with 2014, and the amount of recharge increased by 40%.

Fig. 4 operational link of the picture CAPTCHA platform

Coding platform employees (code workers) are mainly distributed in Zhejiang, Guangdong, Henan and other regions.

Fig. 5 Top area distribution of picture CAPTCHA platform

two。 Mobile CAPTCHA platform

Mobile CAPTCHA platform connects the seller and buyer of CAPTCHA as a trading platform by integrating the resources of multi-party mobile CAPTCHA merchants.

The buyer can fill in the mobile phone number obtained on the mobile verification code platform into the website for registration and verification, and then the platform will return the received verification code to the buyer, thus passing the verification of the website. Generally speaking, this kind of mobile phone number is one-time use. In order to deal with the above behavior, some websites will repeatedly verify the user's mobile phone number, so there is a mobile CAPTCHA platform that can be used for a long time. The charge for a mobile phone verification code ranges from 0.1 yuan to 3 yuan, which is cheaper than using a physical mobile phone card.

Fig. 6 operational link of mobile CAPTCHA platform

The use of the mobile CAPTCHA platform is increasing month by month. The number of people recharging the platform in 2015 was three times that of 2014, and the recharging amount was 2.6 times that of 2014, a rapid increase.

Figure 7 year-on-year increase in the number and amount of recharge of the mobile verification code platform

On the other hand, the mobile number of the mobile CAPTCHA platform mainly comes from China Mobile, China Unicom, China Telecom and virtual operators, mainly belonging to Guangdong, Shaanxi, Zhejiang and Henan. People who use the mobile CAPTCHA platform are mainly distributed in Guangdong, Jiangsu, Henan, Fujian and other places.

Fig. 8 Top area distribution of mobile CAPTCHA platform

In 2015, the mobile CAPTCHA platform was mainly used in social networking, e-commerce, finance, life and other industries, accounting for 88% of the total. More than half of these mobile numbers are used for account registration.

Figure 9 the industry to which mobile phones flow

3. Underground industry software

Underground industry software covers a wide range of areas, including brushing, account theft, registration, panic buying, information collection, information group sending and so on. The specific production and sales links are as follows.

Figure 10 production and sales link of the software

2.3 Underground Industry Travel: malicious registration, account theft

1. Malicious registration

Account malicious registration is the source of malicious behavior, the whole process has become professional, 100,000 employees, forming a mobile phone verification code service platform, coding platform, registered software development group, spam account distribution platform and other one-stop services. Batch malicious registration is mainly achieved through software, the specific process is shown in the following figure.

Figure 11 the process of registering software batch registration

two。 Theft number

In the login process, the underground industry obtains the user information and then steals the account by means of violently cracking and hitting the library.

Fig. 12 the process of stealing number in underground industry

The theft gang buys a batch of account data from *, and then matches the data with major P2P, social networking, O2O and other websites to obtain the account passwords of the required websites through the so-called "hitting the library". After mastering the account password of the website, the theft gang will wash the number, peel off the valuable account and make a profit by selling the account through various channels.

2.4 downstream of underground industry: cashing out of interests

Through the preparation of the upper and middle reaches, the underground industry will eventually cash out its interests, including activity brushing, fraud, theft, extortion and so on.

Activity brushing is a behavior that professional groups make exorbitant profits directly by obtaining multiple accounts and using multiple devices to break through the business logic restrictions of the platform automatically or manually. Activity brushing is a common threat encountered by Internet enterprises in promotion, which mainly occurs in activities such as second kill, zero yuan purchase, red packets, coupons and so on.

Figure 13 process of activity brushing

In today's Internet + environment, the phenomenon of brushing is very serious, the profit margin is very high, the industry division of labor is becoming more and more detailed, and it has gradually become a pillar industry chain. Among them, the probability of popular activities being brushed is up to 100%, such as the purchase of zero yuan for a certain product, the promotion of red envelopes by a well-known tourism company, and other cases are common, and these brushed funds flow directly into the underground industry.

Fig. 14 cases of brushing in some activities in 2015

2.5 risk prevention and control scheme

Although the entire industry chain involves multiple links, the key actions are carried out through network accounts, which generally involve three interrelated business scenarios:

Registration scene: most online activities are based on accounts, which are the basis and ammunition for all activities of "underground industry". The number and quality of accounts are basically in direct proportion to the profits of "underground industry groups". The price of buying and selling accounts on each platform can also directly feedback the interests of each platform and the effect of prevention and control. Identify malicious registration, and intercept and crack down, reduce the number of accounts that the "underground industry" can use, can effectively reduce the risk of cheating, spam, fraud and so on.

Login scenario: login is a threshold. Through the analysis of user behavior and device characteristics, most of the risks such as library brushing, account theft and activity cheating can be identified at login, raising the login threshold for malicious accounts and adding corresponding verification to library brushing and stolen accounts. For example, the login process through CAPTCHA and SMS verification can reduce the risk of account use. In the scenario of secret search and user information modification, you will face the same risk of logging in, and the same prevention and control methods can be used.

Activity (trading) scene: this is the main battlefield of the confrontation of the "underground industry", and it is also the direct battlefield to reduce its profits. the confrontation measures here can not only simply identify the risk, but also consider the value of the account. through the machine behavior risk and value double latitude judgment, the use of identity verification and preferential intensity double leverage adjustment to make the "grey property" unprofitable.

In 2015, Aliju Security launched a scenario-based data risk control service, which provides real-time prevention and control functions for risk assessment, risk identification and risk control. For more service introduction and access, please log on to Ali Ju Security official website.

Fig. 15 Ali Ju Security data risk Control function

Chapter III Development trend of data risk Control

As a key element of the "network black industry chain", the account can already be used as a measure of the effect. The buying and selling price and the supply of the account can directly reflect the scale and trend of the "underground industry".

The "underground industry" based on account security has shown a growth trend of high returns, high technology and low cost, and this trend will be more explosive in 2016.

1. The scale of "human flesh" and "social worker" model will be expanded.

Based on loopholes in business rules, the scale of malicious organizations using "human flesh" and "social workers" will expand in 2016. Malicious registration, account trading, account theft, private information trading, message promotion, brushing, activity cheating and other "underground industry" can make a profit, high returns will also attract a large number of people to join, many links have "human flesh" instead of "technology" Risk identification also needs to make a comprehensive judgment to the user behavior from the original equipment and environment.

two。 The ability of "real-time" risk identification needs to be enhanced.

In 2015, through the war against cybercrime, the response time of both sides gradually shortened, from signing up an account to making a profit, from the original Tunable N to the minute level. The confrontation in 2016 will be "real-time computing", and real-time finding and solving risks will be the development trend of risk control systems. Due to the high construction cost of real-time risk control systems, capabilities such as Aliju Security, which provide professional real-time security services, will become mainstream.

3. "Diversified Verification" will become the mainstream

In 2015, a large number of accounts were stolen, which has made users lose confidence in passwords. "de-password" will become a trend, and risk-based "diversified configurable authentication" will become an important means of balancing security and experience.

To download the full version of PDF "2015 data risk Control Annual report", please click here

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.