Global Malicious Phone Number Fraud Risk Trends 2024

Mobile phone numbers are a prime resource for perpetrators to carry out fraudulent activities. In particular, SIM cards that are not registered under the real-name system are easily exploited by perpetrators for online fraud. Threat Hunter's research has found that in recent years, there has been an increasing prevalence of a type of malicious phone number, also known as “interception cards" amongst malicious groups. These phone numbers are pre-loaded with backdoors that enable the interception of SMS verification codes, enabling malicious activities.

To ensure that online business operations develop healthily, enterprises and institutions should be aware of the elements associated with these malicious phone numbers, such as its risk characteristics, fraud methods and attack scenarios. This comprehensive understanding can significantly enhance the efficiency of online business risk control.

This article aims to introduce readers to the risks that are involved with the use of risky SIM cards and its malicious practices as well as the global landscape of malicious phone number fraud trends in 2024, and its typical attack scenarios.

Overview

01 Introduction to the supply chain and the types of malicious phone numbers

After years of development, online perpetrators have established a mature and well-established supply chain for malicious phone numbers, with clear divisions of labor in resource acquisition and malicious activities:

• Upstream of the Supply Chain - Resource Layer：Card providers control the core resources (malicious phone cards) and are the most critical players in the upstream.

• Midstream of the Supply Chain - Service Layer: The midstream connects upstream and downstream of the supply chain, providing services such as traditional SMS code receiving, bulk code receiving, web-based code receiving, and API-based code receiving.

• Downstream of the Supply Chain - Monetization Layer ：The downstream utilizes the purchased malicious phone SIM cards to register fake accounts, launch attacks by exploiting promotions, redirecting traffic, or committing fraud, etc., ultimately achieving monetization.

  
  

Threat Hunter discovered that the 2 most common types of malicious phone numbers that can be found in the global market are primarily the: SIM Modem Pool Card and interception cards.

SIM Modem Pool Card

"SIM Modem Pool Card" refers to SIM cards that are inserted into modem pool devices to receive SMS verification codes using specific methods, hence the name " SIM Modem Pool Card". This practice primarily originates from traditional telecom operators and virtual network operators.

In regions where the use of the real-name system is not required, malicious groups can easily purchase SIM cards provided by traditional telecom operators or virtual network operators. Even in regions where the use of the real-name system is mandatory, these groups can obtain SIM cards by impersonating others, exploiting loopholes in the verification process, or using real-person crowdsourcing methods.

Threat Hunter's research shows that malicious groups are more likely to favor SIM cards that are offered by virtual network operators instead of the cards that are provided by traditional telecom operators. Virtual network operators procure SIM cards that carry functionalities such as calling, texting and internet access from traditional operators, repackage them and then resell them. This practice is commonly referred to as "virtual SIM cards" amongst malicious groups. Compared to traditional SIM cards, these virtual cards are cheaper and have lower entry barriers.

Interception Cards

"Interception cards" refers to the scenario where the SIM card and the card-insertion device are in the hands of legitimate users. However, card providers pre-install backdoors in card-insertion devices. These backdoors allow them to intercept SMS verification codes received by the user's phone, hence the term "interception cards." This type of fraud has developed rapidly in recent years.

The backdoor programs set up by malicious groups automatically delete intercepted messages, making it nearly impossible for legitimate users to notice. The intercepted messages are then uploaded to the card provider's backend and flow into the midstream of the malicious process, where they are used for activities such as receiving verification codes.

In other words, if your phone, smartwatch, or similar device has been implanted with a backdoor, your SIM card could unknowingly become part of the operations of malicious groups.

02 2024 Global Malicious Phone Number Fraud Risks

2.1 Globally, the top 3 regions where companies are targeted by malicious phone number attacks include: The United States, China and India

Based on the data monitored from Threat Hunter's Risk Intelligence Platform, Threat Hunter's intelligence experts have compiled the statistics on the companies that are most frequently targeted by malicious phone number attacks and their respective countries. The statistics show that the top 5 regions with the highest number of companies that encounter attacks from malicious phone numbers are ranked in the order of the United States, China, India, Russia and the United Kingdom.

• Within the global market, companies from the United States hold a pivotal position, hosting international giants such as Google, Microsoft, and Apple. These companies hold great influence and offer lucrative returns for malicious groups, making them long-standing primary targets of cybercriminals. In particular, companies like Google who provide foundational internet services are especially favored by malicious operators as their accounts can be used to authorize the logins for numerous other applications.

• As China companies expand into international markets, particularly in social media and e-commerce, many large e-commerce and social sharing platforms have experienced rapid growth. During this process, the marketing funds that were allocated into the development of the business have attracted the attention of many perpetrators, bringing more Chinese companies into the sights of international cybercriminals.

• Financial enterprises in India such as Coindcx and Unocoin in the blockchain sector have also become major targets for malicious groups. Perpetrators benefit from the booming blockchain market and its related business activities, leading to a widespread increase in the number of malicious account registrations and attacks on many Indian companies.

2.2 The global industry distribution of malicious phone number attacks: Social media, finance, and e-commerce rank as the top three industries.

Threat Hunter's intelligence data has found that in 2024, the industries most frequently targeted by malicious groups globally, include the social media, e-commerce, finance, lifestyle services, and entertainment industries.

• The social media industry serve as the primary channel for malicious groups to conduct fraudulent traffic diversion. Using phone numbers that were acquired for receiving verification codes, malicious operators register large numbers of fake social accounts to engage in "account farming". These accounts are used to post illegal/fake information to lure regular users, executing fraudulent schemes.

• The financial industry has a relatively higher number of attacked companies. Real case studies uncovered by Threat Hunter has identified that malicious groups use malicious phone numbers to register large numbers of accounts on financial platforms to launder illegal funds through activities such as transfers between these accounts.

• Within the e-commerce industry, companies often distribute coupons to attract and retain users. The coupons are the prime targets for malicious groups who exploit them by mass-registering accounts to siphon off marketing funds ; Additionally, some merchants collude with malicious groups to conduct practices such as making fake transactions, boost product reviews, and manipulate ratings.

2.3 The top 3 global primary phone number fraud attack scenarios: marketing campaigns, social marketing, and content scraping.

Threat Hunter's surveillance into phone number fraud has revealed that in 2024, malicious groups primarily use malicious phone numbers to engage in activities such as marketing campaign scams, social marketing fraud, content scraping attacks, and money laundering.

03 Analysis of typical malicious phone numbers fraud scenarios

3.1 Scenario 1: Marketing Fraud Attacks

With the rapid development of the global e-commerce industry, major e-commerce platforms worldwide have launched different types of coupons and promotional activities to attract new users and boost consumption. While these incentives being substantial benefits to users, they have also become a "goldmine" for malicious groups. Through technical means, these groups illegally acquire large quantities of phone numbers to register fake accounts, exploiting e-commerce platforms to claim new user discounts and promotional rewards.

The Attack Process

1. Acquiring Phone Number Resources：Malicious groups obtain large quantities of international SMS verification codes at low prices through illegal verification code platforms to register for accounts on major e-commerce platforms.

2. Mass Account Registration：Using automation tools and scripts, malicious groups can register for ten of thousands of accounts within a short period, where each account is linked to a different phone number.

3. Exploiting Coupons：After registration, these accounts will be used to claim new user coupons or gain rights to participate in promotional activities to obtain discounts.

4. Monetization：By reselling products at low prices or selling the claimed coupons, malicious groups are able to monetize and gain illegal profits.

   
   

Various types of fraudulent activities can occur on e-commerce platforms, including coupon exploitation, stockpiling goods, fake reviews, logistics fraud, and more. These fraudulent activities rely on a large number of fake accounts registered by malicious groups. The use of these fake accounts results in direct financial losses, increased transportation and handling costs, as well as inventory management expenses. These losses would not only cause direct economic damage but also harm the platform's reputation and interfere with normal operations.

3.2 Scenario 2：Fraudulent Traffic Diversion Attack

As internet technology develops, online fraud has evolved into a well-defined underground industry chain with an annual output value that exceeds hundreds of billions of yuan. This industry chain is not only limited to illegal cybercrime in the "black market" but also controversial activities that tread a fine line with the law often referred to as the "grey area". One such grey area activity involves groups conducting fraudulent traffic diversion on major social media platforms. These groups do not directly engage in the actual fraudulent activities, but as facilitators of fraud rings. They redirect victims to third-party platforms where they interact with the fraudsters.

The Attack Process

1. Account Registration and Sale: Malicious merchants upstream of the supply chain register a large number of fake accounts and sell them to fraudulent traffic diversion groups that lie within the midstream of the supply chain. These accounts are typically registered in bulk using automated tools, scripts and are directly integrated with the SMS verification platforms to receive the verfication codes.

2. Diversion Tools：After purchasing these accounts from account merchants, fraudulent traffic diversion groups use various automated chat, posting tools, and scripts to conduct fraudulent traffic diversion on social platforms.

3. Diversion Methods：Malicious groups use methods such as posts, private messages, bullet screens, personalized signatures, and live content to display fraudulent traffic diversion information. Using these methods, they guide users to join third-party group chats, where scams are carried out.

   
   

The rapid increase in the number of fraudulent traffic diversion activities on social media plaforms lowers content quality and severly damages user trust, potentially leading to user attrition. The spread of fraudulent information not only disrupts user experience but also undermines users' trust in the platform's safety and reliability. To keep malicious activities at bay, social media platforms need to fundamentally address the issue of accounts registered by malicious groups.

3.3 Scenario 3：Content Scraping Risks

In this digital age, web scraping technology is widely used in areas such as data collection, search engine optimization, and business intelligence analysis. However, the emergence of malicious web scraping poses severe challenges to cybersecurity. According to reports, it is estimated that issues related to API security and web scraping attacks have caused global business economic losses amounting up to $186.1 billion dollars. Malicious web scrapers not only threaten data security and user privacy but also significantly impact business operations.

The Attack Process

1. Identifying Web Scraping Targets：Web-scrapers identify target websites and determine the type of data to scrape, such as user information, article content, and comment details.

2. Tool Deployment：Custom or ready-made scraping tools are used to attack the target website and automate data collection.

3. Data Transmission and Processing: The scraped data is transferred to the attacker's servers or databases, where it is categorized, organized, and preliminarily processed to improve its usability.

4. Data Sales: The processed data is sold to downstream buyers or directly used for other illegal activities.

   
   

Malicious web scraping poses threats beyond data security and user privacy breaches, it can profoundly impact a business's overall operations. Some of the negative impacts include sensitive data leaks and decreased server performance. Businesses must implement effective defense measures such as handling scraper accounts, enforcing access controls, and identifying IP risks. These measures would not only help to protect critical data and user information but also ensure the stability of business operations.

04 Threat Hunter's malicious phone number intelligence services

Threat Hunter's malicious phone number intelligence service is able to precisely identify phone numbers that poses fraud risk to businesses through the extensive research done on risks of malicious phone number fraud and the continuous monitoring of verification channels for malicious phone numbers. It assigns a dynamic risk score to these phone numbers, enabling businesses to preemptively identify fraud risk, monitor for attacks in real-time, and analyze the strategies to take on post detection. This service would enhance the efficiency of risk management and effectively mitigate the negative impacts of fraud on normal business operations.

Businesses can leverage on Threat Hunter's malicious phone number intelligence service to address specific challenges in their online operations:

1. Implementing a diversified approach to addressing risks at different stages of the online business process 

For example, during the user registration process, we can simply flag out suspicious phone numbers as high-risk. However, when it comes to actual transactions, we can combine this information with other user behaviors to decide whether to block the transaction. This way, we can effectively prevent fraud without mistakenly blocking legitimate users and ensuring that business operations can operate smoothly.

2. Supports a comprehensive scoring system that integrates data from multiple dimensions including IP addresses, devices, accounts and other relevant sources

Threat Hunter's service goes beyond simple risk labeling by scoring the risk level of captured phone numbers based on various factors such as the source channel and status of the number. Other than accessing the likelihood of a number being associated with malicious activity using a risk score which ranges from 0 to 9, the system allows enterprises to integrate factors such as IP addresses, devices, and account data to derive a more comprehensive risk assessment of phone numbers, resulting in a more accurate identification of risky numbers.

Threat Hunter's self-developed honeypot monitoring system currently identifies and adds between 500,000 and 2 million malicious phone numbers to its database daily. In particular, the numbers with a risk score of risk9 can be accurately detected with an accuracy rate exceeding 99.9%. This enables enterprises to promptly identify malicious phone numbers during the user registration process, offering substantial practical benefits.

Our risk intelligence platform has successfully helped leading e-commerce, social media and lifestyle service platforms combat fraudulent activities such as marketing attacks, bot traffic and malicious traffic. If your online business is facing similar challenges, we invite you to try our risk profiling service.