Price of a bot army revealed across online platforms

Posted by teleforce 22 hours ago

Comments

Comment by cookiengineer 7 hours ago

> They argue that SIM card regulation could help “disincentivise” online manipulation, and say their tool can be used to test policy interventions the world over.

In Germany, you have to give ISP customer providers (help centers) a copy of your passport ID in a live video stream to authenticate. That was introduced since 2013, for all SIM registrations.

So explain to me, again, how did this help reduce botnet traffic from Russia that uses proxy services of third parties that installed their proxy backdoors in free apps on the PlayStore under the disguise of marketing and advertisement?

I don't understand why Google does not get any critique for allowing so much malware to be officially deployed via their PlayStore? They don't give a damn, have a history of not caring, and are the only point in the supply chain that is the problem. Every service provider that offers residential proxies is using those backdoors, and bought access for it from the advertisement companies.

If you report their Malware or Spamware, they ignore it. Try it, you will be disappointed. Because AdMob and other agencies are their customers. It's the same problem with Microsoft hosting Azure tenants that do spamming, sorry, "marketing campaigns".

Source: I track these companies and their rotating ASNs with zero tolerance for spam. [1]

[1] https://github.com/cookiengineer/antispam

Comment by chatmasta 3 hours ago

How does blocking ASNs solve the problem you described, with proxy backdoors in apps? These will use residential/mobile IPs, right? That’s the point.

btw, may as well name and shame: the biggest culprit is Bright Data, formerly known as Luminati, also known as HolaVPN (the Chrome extension where they got their start, promising a VPN, routing traffic through a few DigitalOcean boxes, while selling each of their millions of users as a residential proxy endpoint to industrial scrapers). Nowadays they do the same but without the SPOF: they license their “SDK” to app developers, who launder the liability on their behalf.

Comment by cookiengineer 3 hours ago

I'm currently working again on my ebpf firewall, where I'm integrating an active DDoS kind of analysis across the network, so that other backends using that firewall can synchronize their blocklists more efficiently and contribute their traffic data.

I want the firewall to be some kind of middleware(?) for Go backends, so you can plug it in and can stop worrying. At least that's the idea.

It's similar probably to what cloudflare's DDoS protection is built like, but I'm focusing on Go backends first (my own use case) and am trying to make this as decentralizable as possible.

Is gonna take a bit until I'm confident that this approach will work, but I highly recommend eBPF for blocking and traffic analysis. It's insane what you can offload to the NIC, even when it's only partial support and not fully supporting XDP. The blocks are just so much faster to do than in userspace.

Comment by chatmasta 3 hours ago

Yes but how’s that going to help when the IPs you’re banning are mobile IP addresses? Bright Data claims to have over 7 million of them in their network. They aren’t in contiguous ASNs because they’re sourced from regular human users unknowingly running proxy endpoints on their mobile devices.

(I agree, eBPF is very cool. Once you dive into the Linux network internals you discover a bunch of shortcuts you can take to execute code on packets before they ever leave kernel space.)

Comment by cookiengineer 3 hours ago

Well you have to have metrics and behavioral analysis anyways because of TOR and other proxies, right? For those kind of residential IPs, you will just treat them as /32 prefixes (well if they use IPv4).

There's nothing set in stone, as you have to ensure that 24hrs later they get a chance again, so bans will be temporary first and will be permanent only for repeating offenders.

Comment by cedilla 6 hours ago

I don't think anyone made the claim that requiring identification while providing German phone numbers would do anything about abuse from Russian botnets or abuse from non-German phone numbers.

Comment by uniqueuid 6 hours ago

Thank you for that work. I hope it's asymmetric meaning one hour of your work wastes thousands of hours for bad actors.

Comment by mmooss 16 hours ago

> They argue that SIM card regulation could help “disincentivise” online manipulation, and say their tool can be used to test policy interventions the world over.

Their solution is to deanonymize communication, which you're probably familiar with. That's not a tool for social good, but for government power. We could give government virtually any power, if we assume it will be used only for good.

What's a solution to online manipulation that is actually a social good or cannot be misused? What's a freedom-promoting technology that can replace the disaster that is current social media?

Comment by port11 3 hours ago

It's done little to nothing to stop phone-based scams in European countries. It's unbelievable how many calls and SMS we get with scams, supposedly for SIM cards that require ID (Belgium and France).

Comment by dartharva 2 hours ago

India is one of the countries widely known to be a hub for social media bots.

India has also always required buyers to submit their government IDs to buy SIM cards.

Comment by Seattle3503 12 hours ago

Yeah I don't think we should expect cell networks to secure or protect these third parties.

Comment by ivape 2 hours ago

We have to solve universal beauty somehow. People like to take part in beauty, so it isn’t fair to admonish it outright as pure vanity. If you stared at the most beautiful people all day what need do you have to survey the world like Quasimodo from the social media bell tower?

The Hunchback struggled with an apparent vacancy of physical beauty and the burden of exclusion. He constantly doom scrolled from the tower above looking down. The solution required everyone in town to have a literal fucking epiphany.

Comment by giancarlostoro 10 hours ago

I've become a fan of Passkey instead of worrying about 2-factor, my phone or my Mac is how I authenticate with encryption keys only on my device.

Comment by richwater 10 hours ago

Just wait until you lose your devices

Comment by giancarlostoro 10 hours ago

all at once? I find that unlikely

Comment by rjdj377dhabsn 6 hours ago

You don't travel? Easy to have all your devices stolen at once on the street.

Comment by giancarlostoro 55 minutes ago

I can't say that I fly with everything valuable I have to my name, no. I leave my iPad and my Laptop at home usually, unless I am staying within my state visiting family and even then, I'm pretty sure my iCloud backup will still work on a brand new iPhone, heck I know it will, since it pushed everything to my newer iPhone even things I don't sync were in the encrypted backup of the whole device.

Comment by Cthulhu_ 4 hours ago

Backup codes somewhere safe. I mean if you're traveling and your bank cards or passport gets stolen you're similarly in trouble, but there's a contingency plan for those kinds of things.

Comment by rjdj377dhabsn 2 hours ago

I thought the working group making the standard was threatening to blacklist any implementation that allows passkeys to be exported for backup, no?

Comment by 2 minutes ago

Comment by TeMPOraL 2 hours ago

Yes, but unlike with 2FA and SaaS, there's always some recourse. Worst case, you may need to physically visit some bank or government branch, send some registered letters and/or notarize some statements, but there's always a way to recover from losing your ID, passport, or access to a bank account.

Until similar process exist in digital space (read: is legally and culturally forced on SaaS vendors), 2FA is frankly dangerous - it demands standards of diligence and long-term care that not even government affairs do. The back-up codes users are instructed to print out and store securely? No other document in most people's lives requires such long-term protection.

Comment by SV_BubbleTime 9 hours ago

No one has ever had a whole house disaster after all!

Comment by giancarlostoro 54 minutes ago

Sure, but iCloud still has my entire phone encrypted and will backup restore to a new device, I would imagine my Passkey which is stored in the Passwords app regardless would be fine. Alternatively you can put Passkey in your Bitwarden vault as well.

Comment by 0ckpuppet 10 hours ago

or people could just start to realize that social media is junk food and stop eating it.

Comment by delis-thumbs-7e 7 hours ago

>or people could just start to realize that [A] is [B] and stop [C] it.

Possible values for A = heroin, alcohol, tobacco, weed, porn, TV… B = addictive, causes cancer, has an effect on brain health, spreads HIV… C = using, consuming, eating, injecting…

Seems that this “people realizing” does not seem to work with other highly addictive chemicals or electronic media, since healing oneself from addiction requires far more than just “realizing” it is bad for you and the society. Perhaps there is a reason why we limit by law the sale of tobacco, drugs, alcohol and other highly addictive substances.

Comment by 0ckpuppet 6 hours ago

It doesn't have to work for everybody, just a critical mass that it doesn't rot the whole country. I can buy enough cigarettes,booze, and weed to run a party 24/7/365, so what are these "limits" you speak of? I don't party like that for the same reasons I quit eating taco kfc mcd's etc. They're still in business, but there will always be a few junkies.

Comment by scared_together 3 hours ago

In your jurisdiction, are there regulations and taxes on the sale of cigarettes and alcohol?

And are there any comparable regulations on social media?

Comment by rjdj377dhabsn 6 hours ago

Or we could start treating people like adults and let them make their own decisions/mistakes.

Comment by lynx97 2 hours ago

Progressives will never let that happen.

Comment by cindyllm 10 hours ago

[dead]

Comment by msy 13 hours ago

We are in a situation where it's a choice between unchecked corporate/oligarchic power or government power, at least the latter is nominally accountable in a democracy.

Comment by chickensong 9 hours ago

No, you can choose to opt-out and DIY your solution. It may not be for everyone, but oh well.

Comment by DFHippie 12 hours ago

And the unchecked corporate/oligarchic power is often just government power funneled through disposable, if rich, patsies.

Comment by neves 11 hours ago

The unchecked oligarchy just buy the government.

Comment by lrvick 18 hours ago

Since I do not have a smartphone or a cell carrier, I only have a voip number, which most sites think is a fake number. As a result I often have to use these shady SMS verification services to get my own personal legitimate accounts open.

Comment by modeless 14 hours ago

If you're in the US you can get a real cell phone number with VoIP and SMS that works without a phone for $20/mo with Google Fi. You'd need a phone to set it up but after that you could just turn it off and still use VoIP and SMS from any web browser.

Comment by 35 minutes ago

Comment by gruez 12 hours ago

There are BYOD prepaid providers that are even cheaper than that. The lowest you can get is ultra mobile's $3.50/month plan, but you need to jump through some hoops to get it working, like getting a physical sim in person. Tello is $5/month and you can activate online.

Comment by modeless 12 hours ago

Do you get SMS that continues to work when the phone is powered off?

Comment by gruez 10 hours ago

You can still get SMS (and even make calls) over wifi calling, which can be done with airplane mode on and with a VPN router.

Comment by modeless 9 hours ago

But not without the phone

Comment by pyrolistical 13 hours ago

Doesn’t that allow the shady sms service to take over your account?

Tell support you’ve lost access to email and they might allow you to change it if you can still verify sms code

Comment by NooneAtAll3 12 hours ago

well, the choice is between chance of account takeover - and having no account at all, y'know

how would one "verify sms code" without a phone?

Comment by rogerrogerr 17 hours ago

I’d be curious to hear about your experience not having cell coverage in the modern world. What’s it like?

Comment by daemonologist 10 hours ago

I went about six months without cell service a few years ago. The only deal breaker is this one - that lots of services require SMS authentication and won't accept Google Voice/similar. GPS navigation is a bit worse, because you have to pre-download the maps and don't get realtime traffic. You also can't be contacted when you're away from wifi; this wasn't a problem for me but I can imagine if you had kids or something it would probably be another deal breaker.

Comment by veqq 13 hours ago

It's very nice. Phones are evil.

Comment by codedokode 17 hours ago

Maybe they don't like having their precise location tracked 24/7?

Comment by rjdj377dhabsn 15 hours ago

That's a good reason for not carrying a phone, but getting a cheap SIM-connected device and leaving it at home next to their computer shouldn't reveal any more information than they already are by using their home internet and VOIP.

Comment by octoberfranklin 15 hours ago

What’s it like?

Blissfully tranquil.

Comment by conductr 11 hours ago

Not sure if it flags as fake but I'd look into getting a dedicated Twilio number, then just forward incoming texts to your email or something like that. It would at least get the "shady" part out of the equation as Twilio is pretty trustworthy.

Comment by cobertos 11 hours ago

This does not work, I've tried this before. Google verification for example would not accept my Twilio number as verification (about 2 years ago). You can lookup a phone number for the provider and numbers from Twilio or others tend to not be accepted.

Comment by dylan604 11 hours ago

> as Twilio is pretty trustworthy.

as considered by who? do banks accept a Twilio number as a valid number according to their security best practices?

Comment by DecentShoes 15 hours ago

Would it not be easier to get a dumphone and a super low end phone plan?

Comment by andai 17 hours ago

What device do you use the voip with?

Comment by ck2 16 hours ago

If you live in US, get a tracfone with an annual 1500 minute plan for around $20-$30

You can just get a fliphone clamshell, they still do those and don't need a full smartphone (ironically the clamshell still runs android)

They boot fast and battery can be pulled after

This is how I do all the 2-factor that demands real SMS

Comment by andrepd 17 hours ago

I use them to avoid giving my real number to any shitty online service.

Comment by codedokode 17 hours ago

These services are a good because sometimes you need to access some information in social networks, which is available only after registration. So what other choices you have? And they often do not even allow registration from desktop:

- Google requires to scan QR code with a phone to create an account

- Facebook requires a 3D face scan

- VK requires to use mobile application

- Telegram requires to use mobile application

Desktop now feels like untrusted, shady device, used mostly by cybercriminals. Especially of you use Linux and enable "fingerprinting resistance" option.

> To register a new account, online platforms require SMS (Short Message Service) verification

Incorrect, see above.

> A fake Facebook account registered in Russia can post about the US elections

Facebook is blocked in Russia though.

As for spam problems, require payment to add new contacts above the limit, and disable messaging to non-contacts. Or restrict messaging based on country/city (so that messaging to a different country is paid).

> The average price of SMS verification for an online platform during the year-long study period running to July 2025 was ... just a fraction of that in the US ($0.26), UK ($0.10) and Russia ($0.08).

That's outdated. With new Russian legislation, most platforms removed support for Russian phone numbers, so now you cannot even find a service that allows to receive SMS to a Russian number. Futhermore, if you Google such services, it seems that they use the same provider because all of them do not have any working Russian numbers.

Comment by Forgeties79 16 hours ago

> Facebook is blocked in Russia though.

I doubt that stops the IRA tbh

Comment by NooneAtAll3 11 hours ago

stops Irish revolutionary army from... registering facebook account in Russia?

Comment by roblabla 11 hours ago

In this context, it's talking about Internet Research Agency: https://en.wikipedia.org/wiki/Internet_Research_Agency

Comment by padzochambers 7 hours ago

haha also couldn't understand how the Irish IRA was in anyway relevant. Makes a lot more sense now.

Comment by Forgeties79 1 hour ago

Ha all good. I almost put the full name, elected not to for some reason, and here we are

Comment by 3 hours ago

Comment by squigz 6 hours ago

> As for spam problems, require payment to add new contacts above the limit, and disable messaging to non-contacts. Or restrict messaging based on country/city (so that messaging to a different country is paid).

This just a) increases the costs for attackers, which don't actually stop them; and b) means the poor amongst a population will be limited in who they can talk to. Very convenient, that. Don't want your peasants talking to citizens from other countries.

Comment by gruez 12 hours ago

>And they often do not even allow registration from desktop:

You probably have a super suspicious browser fingerprint and/or IP reputation and they're using those measures as a mitigation without denying outright. Use a normie browser and a normal internet connection and account creation works fine.

Comment by modeless 14 hours ago

I like this metric for service security. Which service is the most expensive to buy verification on? So far the best one I've found is Telegram at 166/$100, and the worst is Discord at 5044/$100.

https://cotsi.org/platforms?platform=ds&view=map I wish they showed a graph of services, but it seems like you can only view a graph of countries per service.

Comment by araes 13 hours ago

Adding on to this one since it was the only link to the map data. There's some other supplemental data available. The supplemental PDF [1] has a bunch of the vendor names and there's a Google Docs sheet that has the list of vendors and availability per area. [2]

[1] https://www.science.org/doi/suppl/10.1126/science.adw8154/su...

[2] https://docs.google.com/spreadsheets/d/1Aialrzkl4kjk2WgQac5f...

The Vendors that actually got included in COTSI are these:

Vendor1 https://sms-activate.org/price 16,310,000 China Vendor3 https://5sim.net/ Vendor 5,137,000 China Vendor5 https://smshub.org/en/main 1,871,000 Indonesia Vendor7 https://smspva.com/ 1,212,000 Nigeria

Others got Reserved (and I guess maybe they'll be included eventually?)

Vendor4 https://sms-man.com/ 2,751,000 USA Vendor6 https://sms-activation-service.com/en/ 1,778,000 Russia Vendor9 https://2ndline.io/ 320,487 Vietnam

Comment by rjdj377dhabsn 14 hours ago

I don't understand what these costs represents.

The post focuses on SMS verification, which based on the general level of costs makes sense. A KYC-verified Binance account costs a lot more than they list. But if they're only counting the cost for SMS verification, why would it depend on service? Wouldn't only the phone number's country matter?

Comment by ChuckMcM 16 hours ago

Once again I am reminded that "knowing" which accounts are fake is a knowable thing and yet social media companies don't mitigate them "because money" or "because DAU" Etc. When I was running operations at Blekko (a search engine) we were busily identifying all the bots that were attempting ad fraud or scouring the web for vulnerabilities or PII to update "people" data bases. And we just mitigated them[1], even though it meant that from a 'traffic' perspective we were blocking probably 3 - 4 million searches / day.

[1] My favorite mitigation was a machine that accepted the TCP connection from a bot address and just never responded after that (except to keep alives) I think the longest client we had hung that way had been waiting for over 3 months for a web page that never arrived. :-)

Comment by gnabgib 18 hours ago

Discussion yesterday (172 points, 149 comments) https://news.ycombinator.com/item?id=46257871

Comment by derelicta 4 hours ago

From what I get from this article, is that the price for not having my activity directly linked to my identity is under 5 quid for a one time payment. Pretty sweet.

Comment by 13 hours ago

Comment by neuroelectron 10 hours ago

Incredibly suspicious that there's no mention of Reddit

Comment by siegecraft 9 hours ago

Does Reddit require sms verification? The last time I made an account it didn't even require a valid email (but you got the "validated email" badge if you did it)

Comment by inemesitaffia 8 hours ago

Depends on your country.

If you want I can shoe you the popup that asks for a number

Comment by neuroelectron 3 hours ago

However, there is a market for bots.

Comment by dom96 16 hours ago

This seems to focus on "verifying" accounts using SMS, but I have never been asked by any service to do this. When does this happen?

Comment by Aurornis 14 hours ago

It's common on services that are attractive targets for spammers or bots.

Creating a new GMail account will require a phone number now, except maybe through a few avenues which are rapidly being closed.

Signing up for popular social media services often requires a phone number.

Signing up for free trials on a lot of platforms requires a phone number.

Everyone knows it's not a perfect measure, but it substantially slows down bot and spammer signups. Even spammers who use these verification services may get an account created, but internally it will be assigned a higher index of suspicion and be more likely to be flagged. When services operate at Facebook or Google scale, they can start to notice when 30 accounts have used the same SMS verification phone number through one of these services in the past N days.

Comment by jazzyjackson 10 hours ago

Twitter settled a lawsuit about this, there was a period where you could sign up without one but your account would be pretty immediately flagged for 'bot like activity' and asked for a phone number to confirm your humanity. They promised to use this for verification purposes only but of course used it for targeted marketing purposes.

> The Complaint alleged that, from May 2013 through September 2019, Twitter encouraged its users to disclose their phone numbers and email addresses for security purposes, such as enabling two-factor authentication and establishing a method for recovering lost passwords. More than 140 million users provided their information to Twitter.

https://www.arnoldporter.com/en/perspectives/blogs/enforceme...

Comment by patcon 16 hours ago

I think this just means you're from a respected country or IP block (or email or phone carrier), and so your existence online doesn't provoke suspicion? :)

I know some people dislike being reminded of this, but I share it because I'm personally always grateful to notice a new edge of it in my own experience: it's perhaps a dimension of privilege (which is neither good nor bad, just something to know that one [might] have, often in some subtle or hidden dimensions and not in others)

Comment by Lerc 5 hours ago

>Co-lead author Anton Dek, a researcher at the Cambridge Centre for Alternative Finance,

I find it amusingly apt that research into fake accounts is done by someone who people must regularly assume is a fake name.

You'd have to carry ID all the time with a name like that.

This is what British people will hear https://en.wikipedia.org/wiki/Ant_%26_Dec