Saturday, December 30, 2023

Vietnam's Massive CAPTCHA crackers vs. Microsoft DCU

Earlier this month, Microsoft's Digital Crimes Unit was featured in a WIRED article by Lily Hay Newman - Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime. In part, the article discusses MS-DCU's case against the hackers that they call Storm-1152. According to DCU, Storm-1152 used their CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts, such as Hotmail and Outlook accounts. How many? How about 750 MILLION email accounts created for illicit purposes! In their announcement about Storm-1152, DCU's Amy Hogan-Burney calls out several of the websites run by the group, including Hotmailbox[.]me, 1stCAPTCHA[.]com, AnyCAPTCHA[.]com, and NoneCAPTCHA[.]com.   (I'm not familiar with NoneCAPTCHA, but it looks like it was just a redirect domain to 1stCAPTCHA.)  Amy shares that the group is based in Vietnam and names three of their operators: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.




Some example code is still on github that illustrates how these massive CAPTCHA solvers were used.  For example "CuongPhan1408" has a 1stCaptcha written in GoLang and shows examples in his code of solving Discord account creations using "HCaptchaTaskProxyless" and using "FunCaptchaTaskProxyless" to defeat Microsoft's Live signups.  FunCaptcha is the tool created by Arkose Labs which is currently used by Microsoft to confirm that emails are only created by humans. 

Github user HecTran12 shares code that links to the now-seized-by-Microsoft website 1stcaptcha[.]com which could previously be installed with "pip install 1stcaptcha." HecTran12's FunCaptcha example solves Outlook[.]com captchas to make new Outlook accounts. 

Github user "Xtekky" shares his AnyCaptcha[.]com-based code called "Outlook Gen" which is Python code that links to the Microsoft-seized website "AnyCaptcha[.]com" to create Outlook accounts in volume.  The code has 45 stars and 15 forks on Github.

Clearly the USERS of Outlook Gen, based on the forks, included many people from many parts of the world.  XTekky has many interesting tools on his Telegram and Discord channels, including "tools" for creating views and likes on TikTok using bots. He demonstrates by sharing a "why so many likes?" video on his TikTok which has been liked 912,400 times.  This relies on his TikTok Slider CAPTCHA Solver, which he claims has 100% accuracy in defeating the TikTok captcha.  XTekky also has a Discord "Question-based" CAPTCHA solver, which uses OpenAI's ChatGPT to solve the questions and provide the answers.  

With three major CAPTCHA-solving tools taken down by Microsoft, what's filling their place?  Based on examining new starring and forking from Github users who liked the old projects, it looks like Russia-based "AntiCaptchaOfficial" is the likely leader.  It claims to solve images with text, Recaptcha v2/v3 Enterprise or non-Enterprise, Funcaptcha Arcoselabs, GeeTest and hCaptcha Enterprise or non-Enterprise, and currently charges rates averaging $0.0005 per solved CAPTCHA. That would be 2,000 account creations per $1. 

Microsoft credits Arkose Labs with their help in investigating the case against Storm-1152, but if the stats page at "anti-Captcha[.]com" can be believed, their site is currently cracking 10,000+ Arkose Labs CAPTCHAs per minute.  Only reCAPTCHA v2 is experiencing more cracks per minute (currently 19,000+). Arkose should be pleased that they are one of the most expensive CAPTCHAs to solve.  Anti-Captcha is currently charging $3 per 1,000.  Their website claims that they are helping disadvantaged workers around the world. 

"With your help, they now have a choice between working in toxic factory conditions or on a computer." 

Their stories don't seem to say "Rather than work in a toxic factory, I help cybercriminals commit fraud and theft by making fake accounts on Outlook, Google, TikTok, Discord and more."

Saturday, December 02, 2023

China continues Pig-Butchering Crack-down

One of my techniques for keeping current on Cybercrime trends is having an "interesting" collection of international news ticklers. This story came to me via X:CyberScamMonitor via a QQ account called "onCambodia." @CyberScamMonitor is a Twitter/X account and Substack account dedicated to tracking online scam and gambling operations in Southeast Asia and documenting human trafficking and human rights abuses. Great work and a strong recommendation to follow if you wish to learn more about the links between #CryptoScams and #PigButchering.

I apologize to the original journalist as I have been unable so far to find the original to give them full credit. For reference, the Chinese article I refer to provides the source as 来源:鲁中晨报 (Source: Luzhong Morning News). The headline is: "Chinese woman was arrested after returning to China! Uncovering the financial backers of a fraud syndicate in Sihanoukville." If anyone has a link to the Luzhong Morning News version, please comment and I will update! This post is mostly just a retelling of their story in English!

The story told, in my opinion, should have the headline "Diligent Police Task Force won't stop tracking Fraudsters!" This story features the Yiyuan County Police who started with a telecom fraud case in their jurisdiction and followed it until they had wrapped up the entire organization and seized 200 million yuan from the criminals, 1/4th of it in cash, but also in real estate, luxury cars, watches, and liquour. That's over $28 Million USD! The case started with a local business who found that one of their employees had sent out 38 million yuan in just a few days. The employee was being extorted after installing a porn-dating app on his phone -- when the criminals learned where he worked they demanded that he send money from his company as well. 

 The case was taken up by the "3.01" Task Force. Yiyuan County is administered as part of Zibo City in Shandong Province of China. Police officers from county, city, and provincial level work together on the 3.01 Task Force.  (Shandong is in the east of China, across the Yellow Sea from South Korea.) The deputy magistrate of Yiyuan, Zhang Xiuguang (张秀光), takes an approach to cybercrime that reminds me of the work of the Garda National Economic Crimes Bureau in Ireland!  Zhang says "Since we established the task force, we have firmly believed that we must recover the losses and hit the core.  From catching the first culprit, we will not withdraw our troops until the case is solved!"

(map of Zibo City from medical article by Lili Liu and Ling Wang)

The case dragged on at a very slow pace, Yiyuan deputy director of public safety Ma Wencheng (马文成) described it as involving the tracing of funds from thousands of accounts and peeling back each account like peeling layers from bamboo shoots. Even with a 100 person task force, very little progress was being made, but that changed with a key arrest on 31AUG2022. The key piece of evidence as a suspicious mobile phone number. Among all of the hundreds of thousands of scraps of evidence, there was a telephone number belonging to a woman in Cambodia. Recognizing that Cambodia is the home of many telecom fraud rings, the head analyst for the task force, Lu Lu, focused on the owner of that number. The decision was made to wait for her to return to China. The police have assigned this key figure the alias Xie Xiaofang. When they learned that Xie was returning to China, the task force rushed to Zhengzhou in Henan Province and arrested her as she was leaving quarantine.

As she was questioned, Xie Xiaofang revealed that her #PigButchering group was based in the Chinatown setion of Sihanoukville, Cambodia. Her job within the organization was laundering the money, but she claimed despite her key role, she only knew middle managers in the gang, and then only by alias. The 3.01 Task Force team began tracking each person traveling to China from Sihanoukville and asking Xie Xiaofang to identify them. Within a few weeks, they had mapped out the leadership of the organization. On 17SEP2022, the team traveled to Jiangxi, Yunnan, Fujian, and other places, arresting two more key members and seven others, followed in quick succession by dozens more, eventually totaling 135 arrests. At this point, the Shandong Provincial Public Security Department thought it was time to reward their team.  The photo below shows the public ceremony where all of the local dignitaries publicly praised the work of the 3.01 Task Force, who had at this point seized 8.5 million yuan (about $1.1 million) and had key leaders of the gang in custody. 

(source: ) 

But the team was not done yet. As they interrogated those who had been arrested so far, they realized that there was still a bigger boss. The police assigned him the alias Tang Xiaowei, but they were cautioned by their current detainees that this guy has a "very strong sense of anti-reconnaissance." He only uses cash. He doesn't use mobile phones. He doesn't use credit cards.  He doesn't have a fixed address. But he was known to have a favorite place in Xiamen.  The head analyst, Lu Lu, however, believed that Tang would know about the arrests and would be looking for a way to get out of the country safely, and in the mountains of evidence, Lu Lu believed there was a clue to his exit point. Someone under their surveillance had arranged for a large party in "an Internet celebrity hotel" in Guilin, Guangxi. Lu Lu was confident this would be for Tang. 

Speeding down the highway for nearly 1200 miles with members of the 3.01 task force, Lu Lu's vehicle fell into a pit related to some road construction, but they acquired another vehicle and continued on through the night. They arrived just in time to arrest Tang and his closest associates!  It turned out that Tang and his gang were leaving for the coast that morning where a boat was waiting to smuggle them out of the country and back to Cambodia!  They had the actual top kingpin in their hands and now they could finally pull apart the entire organization.  

Based on the information they acquired, additional arrest teams were sent to Beijing, Shanghai, Tianjin, Guangxi, Hebei, Henan, Guizhou and other cities where 18 teams assigned to different roles for the organization were arrested.  Three technical teams, 1 "payment on behalf" gang, and 14 "point running" gangs totaling 197 additional criminal suspects.  Boxes and suitcases loaded with cash were seized.

While the case that started with the Yiyuan County Police investigating one employee who seemed to be embezzling funds, it led to 38 million yuan ($5.3 million USD) being returned to citizens in Yiyuan and Zibo City and has spawned countless additional investigations as the national and international connections are still being traced. 

This is what COULD happen if we follow the model of the brave Yiyuan Police (the same model which the Garda National Economic Crime Bureaus follows!)  DON'T STOP.  DON'T take your local arrests and be happy with them.  FOLLOW EVERY LEAD.  

We'll close with this quote from Zhang Xiuguan ... 

"No matter how far you run, the Yiyuan police are not afraid of hardships and dangers.  They will catch you no matter how far you go!"