Service Rents Email Addresses for Account Signups(krebsonsecurity.com)
krebsonsecurity.com
Service Rents Email Addresses for Account Signups
https://krebsonsecurity.com/2023/06/service-rents-email-addresses-for-account-signups/
45 comments
SMS and email verification aren't really for spam prevention though, they're for user tracking/advertising. Otherwise they would only require the verification to send or post, not just read. And they wouldn't use dark patterns and extortion like tactics to get you to cough the info up instead of putting the requirement front and center.
This may be true of many corporate platforms, but this article describes what was done with a Mastodon instance. Mastodon instances are generally commercial/advertising free. This and my social media instances are not trying to harvest any data or identify people. The main intent of the email verification is to allow password sets and resets, but it provides some small impediment for spammers. Little is foolproof to stopping spammers, but we can mitigate.
In addition to Mastodon as the other poster mentions, Signal (obviously not a business tracking/advertising users) will require a mobile number to sign up even after usernames are rolled out, all in the name of spam prevention.
This sounds similar to what Revolut and other fintech companies ask to do for identity verification (selfie and photo of id).
There is also Stripe Identity [0], which costs $1.50 per validation. Are there other cheaper or similar reputable services to this one?
[0] https://stripe.com/identity
There is also Stripe Identity [0], which costs $1.50 per validation. Are there other cheaper or similar reputable services to this one?
[0] https://stripe.com/identity
email/sms verification is foremost for data harvesting, prevents some spam too.
likewise the fence around my property is to remind others of a legal/personal border; it can and will not stop determined folks, but surely dogs and the likes.
likewise the fence around my property is to remind others of a legal/personal border; it can and will not stop determined folks, but surely dogs and the likes.
I understand this is designed for illegal use, but honestly this is quite neat. Now if only these criminals applied their skills for legitimate uses...
"if you steal a million dollars, you are put in jail. if you steal a billion dollars, they name a business school after you."
How does this make sense in the context of a disposable email service?
Not sure why someone wouldn't use services like free deposable email services instead. People also sell bulk email accounts (gmail, hotmail) created by proxies for cheap too.
The common disposable mail services are often blocked for sign-ups. This gives you access to an account on something like gmail which is highly unlikely to be blocked. Not sure where the benefit would be over getting full access to accounts (bulk created or hacked) though.
Except you can reuse a single spare Gmail, Hotmail, or even Yahoo email address that’s unlikely to be blocked as you never actually need to check it.
I can see using separate emails from a privacy standpoint, but renting an email still seems like a security issue.
I can see using separate emails from a privacy standpoint, but renting an email still seems like a security issue.
There was a gmail disposable mail service that took advantage of + (ex: [email protected]). It appears it shut down though. As another user posted, cloud offers addresses without the +.
Another similar service exists, been around for a while. https://www.emailnator.com/
iCloud Hide My Email feature generates @icloud.com addresses with no `+` in them.
> People also sell bulk email accounts (gmail, hotmail) created by proxies for cheap
I think what the article mentions is the same thing but on a per-message basis. I.e. renting, rather than buying, is presumably cheaper. There are some prices in a screenshot in the article, but I have no idea how they compare to buying accounts outright.
I think what the article mentions is the same thing but on a per-message basis. I.e. renting, rather than buying, is presumably cheaper. There are some prices in a screenshot in the article, but I have no idea how they compare to buying accounts outright.
Thank you for the reminder that I meant to add some of that context in the story (which I will do after finishing this comment). I've written several stories over the years about how the major email providers have erected various hurdles designed to increase the costs for spammers, most notably phone verification. However, much of the data I'm aware of on the topic of pricing is somewhat dated. Here's one study from 2011, which found Hotmail accounts were far cheaper than Gmail and others because they were basically way easier to register.
Accounts Craigslist PVA 10 (4) $4.25 [§B.1] Gmail Accounts 6 (5) $0.07 Hotmail Accounts* 21 (12) $0.007 Facebook Accounts* 24 (10) $0.07
I doubt these prices are relevant today, apart from the continued price disparity between email providers.
Source:
https://krebsonsecurity.com/wp-content/uploads/2011/07/sec11...
Accounts Craigslist PVA 10 (4) $4.25 [§B.1] Gmail Accounts 6 (5) $0.07 Hotmail Accounts* 21 (12) $0.007 Facebook Accounts* 24 (10) $0.07
I doubt these prices are relevant today, apart from the continued price disparity between email providers.
Source:
https://krebsonsecurity.com/wp-content/uploads/2011/07/sec11...
[deleted]
Think the point is that they have a base of accounts on "established" e-mail providers vs some one-off domains.
Convenience vs. security. Don’t use email as the only mechanism to prevent signups. The protocol is working as designed.
This is why many apps/sites require a phone number to sign up.
Including the vast majority of free email providers these days. Of course, there are tons of SMS verification services in existence already for exactly this reason. Although I haven't heard of a SMS rental service like this.
smspva.com does exactly this. Phone verification (assuming you enforce non-VOIP and block certain countries) raises account creation costs by a decent amount, email verification not so much. The sad reality these days is that a T-Mobile phone number, a Comcast IP address and an outlook email doesn't mean someone isn't a bot, it means they spent a few dollars for a proxy and an some verification services. Which is why I think that behavioral indicators of botness and not just user agents and IP address whois are increasingly important in detection.
smspva.com, 5sim.net, sms-activate.org
I know of services that provide pools of non-voip phone numbers that work similar to this. So phone number verification might slow but not prevent these account creations.
Hmm... I wonder if this is related to this site
http:// learnmonster [dot] ir/public/
which appears to be a C&C and reporting interface for bulk registering free email accounts using a network of proxies.
Seems quiet now but sometimes you can see the reporting interface is churning through a huge number of newly created email addresses mostly at gmail.
I assume the server is hacked and the owner is unaware. Weird they don't put a password.
http:// learnmonster [dot] ir/public/
which appears to be a C&C and reporting interface for bulk registering free email accounts using a network of proxies.
Seems quiet now but sometimes you can see the reporting interface is churning through a huge number of newly created email addresses mostly at gmail.
I assume the server is hacked and the owner is unaware. Weird they don't put a password.
Pretty clever, though I wonder how kopeechka gets around ip limitations that outlook/gmail/yahoo/etc put up. Can only connect to so many accounts before they start to get suspicious.
This also seems like a great honeypot. Offer the service for a while get a good mass of users, then make off with their accounts.
This also seems like a great honeypot. Offer the service for a while get a good mass of users, then make off with their accounts.
If I understand it correctly it never let's the "enduser" connect directly to the email accounts. It always has a service in between. That way as far as Gmail or Outlook knows it only gets requests from one or a handful of IP addresses.
That’s the point: a small number of IPs accessing many accounts could become suspicious. (But may not be trivial to distinguish from legitimate usage due to NAT.)
I would assume they probably use tor or residential proxies in order to get around any ip related rate limiting
This is a fair assumption, although to be fair a botnet is essentially a collection of residential proxies.
And yes, Kopeechka controls the inbox, and only lets you see stuff going forward that matches the regex you specify.
And yes, Kopeechka controls the inbox, and only lets you see stuff going forward that matches the regex you specify.
Does Tor help here? I thought it’s blocked for clearnet sites
Nope, Tor usually makes things worse.
Ask anyone who uses Tor for their day-to-day web browsing. They're often given additional CAPTCHAs and the like. Some sites block them entirely.
Tor might hide where you're coming from, but to any website, it's obvious you're connecting from Tor.
Ask anyone who uses Tor for their day-to-day web browsing. They're often given additional CAPTCHAs and the like. Some sites block them entirely.
Tor might hide where you're coming from, but to any website, it's obvious you're connecting from Tor.
Tor probably doesn't help, but it's not blocked by design.
Tor traffic meets the rest of the internet via exit nodes. There are a finite number of exit nodes and some sites seem to know what they are at a given time and may block the traffic or present a bunch of extra captchas.
Tor traffic meets the rest of the internet via exit nodes. There are a finite number of exit nodes and some sites seem to know what they are at a given time and may block the traffic or present a bunch of extra captchas.
The dark net growing alongside the regular web is very interesting albeit worrisome. What helps one side helps the other, and the thing that hurts one also hurts the other. That's the main reason I really don't want Google or anyone else to cripple the ad-blockers because they really help with a lot of the attack vectors.
Anyway, kind of feels like the eventual outcome of Capitalism. You have a lack of supply to meet the growing demands of the cyber-criminals and fellow entrepreneurs rising up to close that void. Given the amount of money involved, not likely to ever stop. Not trying to give them any ideas but I'm wondering if there will be (or already is) venture capitalists investing in them. They most likely already have a 'Hacker News' to keep up with all the latest developments.
Anyway, kind of feels like the eventual outcome of Capitalism. You have a lack of supply to meet the growing demands of the cyber-criminals and fellow entrepreneurs rising up to close that void. Given the amount of money involved, not likely to ever stop. Not trying to give them any ideas but I'm wondering if there will be (or already is) venture capitalists investing in them. They most likely already have a 'Hacker News' to keep up with all the latest developments.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.
https://arstechnica.com/information-technology/2023/06/fbi-warns-of-increasing-use-of-ai-generated-deepfakes-in-sextortion-schemes/TL;DR: Damn capitalism.
It's funny that I can think of a few legitimate use cases for this type of service:
- Deploying a new brand identity. I've worked with larger marketing agencies that may create many dozens of brands in a given month, and the process tends to be fairly manual and subject to various operational issues. There may be 20+ usernames/handles to "claim" as accounts across a broad spectrum of platforms, plus updating bios, profile pictures, 2FA/MFA, and, of course, the basic sign up and email confirmation process. I once scoped out how much of this could be automated, which was unsurprisingly cost infeasible relative to the current human method, and one of the components involved verification links, especially in scenarios with multi-tenant brands (such as a client wanting their new socials to be established under their own email, but wanting the agency to create those socials).
- User software provisioning. For all services that don't support some type of OAuth provisioning (through Okta, Atlassian, Google, etc) it would be helpful to create a new user, use scripts to post sign-up requests to non-OAuth services, use a function to verify the user's email, archive the email and present the user with their credentials.
- Tracking marketing/sales/promotion/update/announcement emails. Imagine if I could pay per user record for a Regex/SQL query; what if I want to estimate the amount of traction or activity of a competitor's email list? Rather than facilitating any interaction with the source users' email, it could simply give me a count of records, and perhaps a boolean for read/unread. Already that sounds like valuable data.
- Deploying a new brand identity. I've worked with larger marketing agencies that may create many dozens of brands in a given month, and the process tends to be fairly manual and subject to various operational issues. There may be 20+ usernames/handles to "claim" as accounts across a broad spectrum of platforms, plus updating bios, profile pictures, 2FA/MFA, and, of course, the basic sign up and email confirmation process. I once scoped out how much of this could be automated, which was unsurprisingly cost infeasible relative to the current human method, and one of the components involved verification links, especially in scenarios with multi-tenant brands (such as a client wanting their new socials to be established under their own email, but wanting the agency to create those socials).
- User software provisioning. For all services that don't support some type of OAuth provisioning (through Okta, Atlassian, Google, etc) it would be helpful to create a new user, use scripts to post sign-up requests to non-OAuth services, use a function to verify the user's email, archive the email and present the user with their credentials.
- Tracking marketing/sales/promotion/update/announcement emails. Imagine if I could pay per user record for a Regex/SQL query; what if I want to estimate the amount of traction or activity of a competitor's email list? Rather than facilitating any interaction with the source users' email, it could simply give me a count of records, and perhaps a boolean for read/unread. Already that sounds like valuable data.
Or just getting rid of marketing/sales/promotion/update/announcement emails. I regret not having used disposable emails (and phone numbers) for essentially everything ever touching anything involving politics, for example, as that would have kept tens of thousands of bullshit solicitations away from me over the years.
While I tend not to use disposable email addresses, I am a huge fan of having unique ones for many services or web site accounts. Not only does it tell me which ones have had a data breach or sold my info, but it also helps differentiate the spam that purports to come from that site, but isn't addressed to the specific one I _did_ use there.
No way. No legitimate business wants to give the owner of [email protected] the ability to hijack all of their brand accounts by hitting the reset password button. Even if you can change the email aftwards why take the risk of setting it up with a random person's account?
Especially since you can setup a catch-all on some domain you own so "creation" of the email address is as simple as typing it into the registration form on the site you want to use it on.
Surely this sort of sharing and access techniques violate most Terms of Service for any email I can conceive. It would be difficult to pull off a 100% legit service in this vein.
I recently setup a new social media instance and simply setup hcaptcha with no email or phone verification. If I really need to verify people, I can use a feature on my Nextcloud server to video verify people. When they click a link, it calls my phone for a video call and then an approval by me before they can proceed. https://nextcloud.com/blog/unique-sharing-security-video-ver...