Introduction: On September 16, 2019, the Cybersecurity Publicity Week opened in Tianjin. This publicity week is themed on "Cybersecurity for the people, cybersecurity relying on the people." Currently, the cyber security issues in our country are extremely serious. Issues such as personal privacy protection, internet fraud, phishing, network vulnerabilities, and malicious code are prominent, posing tremendous threats to people's normal production and life at all times. Cybersecurity has the "bucket effect", where every link from physical device security, behavior security, data security to content security is an indispensable part of the cyber space security.
随着近年来移动互联网的发展,产生了一大批内容平台,但因内容不合规,屡屡传出被下架、被关停的消息,由此可见,网络内容安全问题不容忽视,特别是以非法内容形成的黑色产业链应成为重点打击对象。
一、总体概述
1.1 基本概述
视频直播类黑产是指打着视频平台、直播平台的旗号,从事传播色情内容、传播恶意应用等非法内容并以此获利的黑色产业链。这些黑色产业链条有成熟的运行机制,它们通过涉黄直播、淫秽视频、黄色小说、赌博游戏等内容来吸引用户,通过广告、用户充值消费、诱导用户赌博等手段来获取收益。为了获取更大利益,有些平台使用录制的直播视频替代真正的主播以降低成本,有些赌博游戏的开奖结果则被牢牢控制。不仅如此,通过这些非法平台,也催生出了大量的网络招嫖、网络赌博、网络诈骗等犯罪行为。
图1-1-1 直播间在线赌博
图1-1-2 网络招嫖信息
1.2 程序运行原理
通过对该类样本进行分析可知,该类样本主要由防止被封禁、获利、分享推广获取新用户三部分组成,其主要工作原理如图1-2-1所示。
图1-2-1 程序工作原理图
二、技术手段
2.1 代码保护
部分程序为了防止被反编译,采用了知名第三方产商的加固系统进行代码加固保护。
图2-1-1 程序代码加固保护示例1
图2-1-2 程序代码加固保护示例2
2.2 不断更新应用
程序为了防止被封禁,不断更新升级。
图2-2-1 程序频繁更新
2.3 频繁更换域名(大量备用域名)
程序为了防止被封禁,准备了大量的域名。
图2-3-1 程序更换备用域名
2.4 CDN缓存加速
程序通过DNS解析,选择与用户连接条件最好的IP地址提供服务。
图2-4-1 域名解析
2.5 后台操控赌博
部分程序中存在在线赌博内容,以“腾讯分分彩”游戏为例,该赌博游戏声称以QQ实时在线人数的末尾数为开奖结果,用户猜中可以获取到对应赔率的奖励。
图2-5-1 在线赌博游戏
通过代码分析可知,程序获取的开奖结果,并非来自QQ实时在线人数,而是由程序服务器下发,结果完全由服务器控制。
图2-5-2 程序访问服务器获取开奖结果代码
图2-5-3 程序解析服务器下发内容示例
三、黑色产业链分析
因为色情产业的暴利性质,催生了成熟的产业链,产业链各环节流程如图3-1所示。
图3-1 黑色产业链流程图
3.1 应用制作
该类程序为了降低开发成本,程序往往采用第三方或开源的直播框架、国外的在线客服系统(或使用QQ客服、邮箱客服等)、第四方支付系统、提前搭建好的服务器组成。服务器大多架设在国外或者香港地区。
图3-1-1 直播框架分布图
图3-1-2 服务器站点地域分布图
3.2 推广传播
该类程序往往通过小型应用商店、网盘、网页、论坛等方式获取首批用户,然后通过分享推广返利或招募代理的方式,吸引用户进行推广,企图实现裂变。
图3-2-1 应用推广传播
3.3 主播招募
直播主播一般有“家族”和个人两种类型。其中一个“家族”往往拥有多名主播,在多个平台开设直播,有管理员统一进行管理并从主播的收入中分成,个人主播需要单独通过客服进行实名认证。
图3-3-1 主播加入
3.4 获利方式
3.4.1 广告获利
投放广告是该类程序重要的获利途径之一,黑产团队往往有专门的广告客服进行接洽,广告形式主要是诱导用户点击,然后跳转至广告应用下载站点。
图3-4-1 从服务器获取的广告位配置
广告内容五花八门,主要是一些非法的**赌博APP、色情内容APP、彩票APP、VPNAPP等类型的应用推广广告。
图3-4-2 投放的广告类型
3.4.2 付费内容获利
除了普通的直播外,很多程序还提供了付费的直播形式,包括按观看时长收费、入场收费等多种形式。
图3-4-3 付费直播
3.4.3 直播打赏分成获利
在直播间内,主播会诱导观众进行打赏,当用户打赏到一定额度时,主播可以开启1对1的直播间或听从用户指示等福利。
图3-4-4 直播间打赏
3.4.4 充值VIP会员获利
程序对普通用户可以观看的视频等内容进行了限制,将一些更具诱惑的视频设置为VIP专属,诱导用户充值VIP。
图3-4-5 诱导充值VIP
3.4.5 购买虚拟道具获利
程序还提供了各种道具,这些道具大多没有实际用途,在程序中相当于一种身份象征。
图3-4-6 购买虚拟道具
3.4.6 诱骗用户赌博获利
程序提供了在线赌博功能,提供多种类型的赌博形式,用户可以进行充值押注,但往往程序可以控制开牌结果。
图3-4-7 在线赌博
四、溯源追踪
4.1 应用下载地址溯源
过滤出的部分应用下载地址域名信息如下:
表 4-1 下载地址域名信息
| 应用分发 地址 | Domain Contact Person | Domain Contact Email | IP Address | Physical Address |
|---|---|---|---|---|
| i**2.cn | Lu** | ch**oubei***ming@126.com | 47.**.106.54 | Hong Kong |
| n**a.cn | He** | 941445640@qq.com | 103.121.94.243 | Hong Kong |
| sh***u.cn | Yang** | dom***rotect@vip.qq.com | 101.**.133.124 | Shanghai |
4.1.1 i**2.cn
Through whois domain name query, it can be known that the contact person of the domain name is Lu**, and the contact email is ch**oubei***ming@126.com, which means 'sell registered domain name' in pinyin.
Figure 4-1-1 i**2.cn domain query
Through reverse query of contact person and contact email, 17 and 13315 domain names can be found respectively, which can roughly infer that the domain name currently belongs to a third-party domain name registrar.
4.1.2 n**a.cn
Through whois domain name query, it can be known that the contact person of the domain name is He**, and the contact email is 94***640@qq.com.
Figure 4-1-2 n**a.cn domain query
The QQ number information corresponding to the contact email is as follows:
Figure 4-1-3 QQ number information
Through contact person reverse query and contact email reverse query, 11 and 12 domain names can be queried respectively, among which the following domain names are obtained through contact email reverse query:
Figure 4-1-4 whios reverse query
It can be seen that there is a registrant, Shenzhen ** Technology Co., Ltd., whose legal representative is He**, and the basic information of the company is shown in the figure below:
Figure 4-1-5 Registration Company Information
Through the query, it was found that the contact email of the company is 26***942@qq.com, the phone number is 153***26439, and no valid information was found for the QQ number and mobile phone number. The company does not have an official website, and the registration address is Building *05, Shekou Industrial Park, Nanshan District, Shenzhen.
The domain name is currently in the registration status, with the registration number being Jiangxi ICP No. 17016885, and the registration information is as follows:
Figure 4-1-6 Domain Registration Information
4.1.3 sh***u.cn
Through whois query, it can be known that the contact person of the domain name is Yang**, and the contact email is dom***rotect@vip.qq.com.
Figure 4-1-7 sh***u.cn domain query
Through contact person and contact email, it can be traced back to 4256 and 4245 domain names respectively, which can be inferred that the domain name should currently belong to a third-party domain name registrar.
4.2 Traceability of Service Domain Names
Part of the filtered server domain names:
Table 4-2 Server Domain
| Server Address | Domain Contact Person | Domain Contact Email | IP Address | Physical Address |
|---|---|---|---|---|
| xz**2.cn | Liu* | 157***9256@163.com | 47.**.4.230 | Japan |
| y**ue.cn | Chang* | mobile_23ffa7c90ae06b4f@mail.22.cn | 61.***.215.227 | Xiangyang, Hubei |
| xmj***hu.cn | Chen ** | 626***418@qq.com | 116.***.118.87 | Jingzhou, Hubei |
| nv**p.cn | Guizhou**Labor Service Co., Ltd. | 1144***020@qq.com | 60.***.59.188etc. | Chizhou, Anhui |
| sy**uw.cn | Hu** | bei***88@163.com | 116.***.184.212 | Enshi, Hubei |
| fux***ua.cn | Bai Shui County**Fashion Design Studio | 33***6771@qq.com | 122.***.4.221, etc. | Wenzhou, Zhejiang |
| t**8n.cn | Liu** | 34***3847@qq.com | 104.***.80.102 | United States |
4.2.1 x**z2.cn
Through the whois query, it can be known that the registrant of the domain name is Liu*, and the contact email is 1571****256@163.com. It can be speculated that the prefix 1571****256 of the email is a mobile number.
Figure 4-1-8 x**z2.cn domain information
By searching with the mobile number prefix of the email, it is possible to find the Alipay account bound to this mobile number, but it has not been authenticated.
Figure 4-1-9 Alipay account
By conducting whois reverse queries through the contact person and contact email, 1643 and 13 registered domain names can be queried, respectively. Among the domain names found, a large number of contact emails can be associated, taking 27***6492@qq.com as an example, the corresponding QQ number information of the email has been found.
Figure 4-1-10 Email information
By checking the QQ space, it can be known that 'Liu*' should be an industry person in the gray industry, who has储备 a large number of microblog accounts, interactive accounts, Jumei Youpin accounts, and other accounts for sale, and it is speculated that the large number of domains reserved by him are also used for sale.
4.2.2 y***ue.cn
Through the whois domain query, it can be known that the contact person is Chang*, and the contact email is mobile_23ffa****06b4f@mail.22.cn. According to the contact person and contact email, no other information has been found.
Figure 4-1-11 y***ue.cn domain information
Accessing this domain name reveals that it has been marked as a malicious website. By querying the filing information of this domain name, you can obtain other domain names of the website, as follows:
Figure 4-1-12 Domain name filing information
Most of these domain names are inaccessible, among which yw**ui.cn is accessible and is a server for an app named 'QuLiao', an application that has not shown any malicious behavior, and its download address ishttp://y**ou.cn/QuLiao.apk.
Figure 4-1-13 “Qu Li” app
4.2.3 xmj***hu.cn
By querying the record information, it can be known that the sponsor of the website is Hangzhou **Information Technology Co., Ltd., the person in charge is Zhou**, who is also the actual controller of the company. Currently, the company has been dissolved on July 30, 2019.
Figure 4-2-1 xmj***hu.cn domain record
By querying the information of the domain name through whois, it can be known that the current registrant is Chen**, and the email is 62***418@qq.com, with a registration date of August 8, 2019.
Figure 4-2-2 whios reverse query
By reversing the contact person and contact email, we can find that the registrant and registrant email have been used to register 379 and 953 domain names respectively, among which the main contacts are Chen** and Chen**. According to this QQ email, information about this QQ number can be found.
Figure 4-2-3 QQ number information
The space of this QQ number has been unable to be viewed due to being reported by multiple users. However, this QQ number provided another QQ number 82***060, which is the business QQ of the domain name trading platform “**wang”. Based on the above inference, the domain name xmj***hu.cn is likely controlled by “**wang”, namely Guangzhou **Online Network Technology Co., Ltd., which is a third-party domain name merchant.
Figure 4-2-4 QQ number information
4.2.4 n**3p.cn
By querying the domain name information through whois, it can be known that the contact person for the domain name is Guizhou **Labor Service Co., Ltd., and the contact email is 114****020@qq.com.
Figure 4-2-5 n***3p.cn domain information
From the QQ account, it can be known that the domain name is also controlled by the domain name merchant, and the website is a**i.com.cn, with a phone number of 1558***4772.
Figure 4-2-6 QQ association
By querying the contact person and contact email through whois, 144 and 264 domain names can be found respectively, among which there are a large number of domains that have been registered.
4.2.5 s***uw.cn
By querying the domain name through whois, it can be known that the contact person for the domain name is Hu**, and the contact email is bei****88@163.com.
Figure 4-2-7 s***uw.cn domain information
By querying the contact person and contact email through whois, 14 and 3 domain names can be found respectively. Some of the domain names queried have contact emails such as 44****493@qq.com, and the QQ information is as follows:
Figure 4-2-8 QQ information
4.2.6 fux***ua.cn
The contact person for the domain name obtained through the whois domain name query is Bai Shui County **Fashion Design Studio, and the contact email is 33***6771@qq.com.
Figure 4-2-9fux***ua.cn domain information
Through the information of QQ space, it can be inferred that this QQ should be the customer service QQ of a live platform, handling matters such as settlements.
Figure 4-2-10 QQ Associated Information
4.2.7 ta**n.cn
Through whois domain query, the contact person of the domain is Liu **, and the contact email is 3454***847@qq.com.
Figure 4-2-11 ta**n.cn Domain Information
The QQ account information queried is:
Figure 4-2-12 QQ Account Information
4.3 Tracing Payment Information
Part of the received receiving account information:
Table 4-3 Receiving Account Information
| Account Type | Receiving Account |
|---|---|
| Alipay 1 | Huang ** (*Fu) |
| Alipay 2 | Fei * (*Honghu) |
| Alipay 3 | Chen ** |
| Alipay 4 | ** Department Store |
| Alipay 5 | ** Property |
| Alipay 6 | Yiwu ** Network Technology Co., Ltd. |
| Alipay 7 | ** Buy Smart Life |
| Alipay 8 | Jianying Card 2 (*Jianying) |
| Alipay 9 | Chongqing ** Capital Technology Group Co., Ltd. |
| Alipay 10 | Guangzhou ** Technology Co., Ltd. |
| WeChat ID 1 | Lan Xingling |
| WeChat ID 2 | Chen ** ~ Pacific Insurance 1824**39584 (**Ling) |
| WeChat ID 3 | Xingzi (*Xing) |
| WeChat ID 4 | l**b11111/lxzb321/2592509752 |
| WeChat ID 5 | la***110/Phone (852-91433199) |
| ***1 | Ren * (China Bank: 621785050003084****) |
| ***2 | Liang ** (China Communications Bank: 622262072000928****) |
4.4 Tracing Other Information
Part of the filtered contact information:
Table 4-3 QQ Customer Service Information
| QQ Customer Service 1 | 243***3071 |
|---|---|
| QQ Customer Service 2 | 27***31181 |
| QQ Customer Service 3 | 191***5146 |
| QQ Customer Service 4 | Advertising Connection (1961***539) |
| QQ Customer Service 5 | Anchor Certification (1335***105) |
| QQ Customer Service 6 | Channel Promotion (106****916) |
| QQ Customer Service 7 | Family Registration (1962***215) |
| QQ Customer Service 8 | Share and Withdraw (17***322) |
| QQ Customer Service 9 | Recharge Inquiry (1165***901) |
| QQ Customer Service 10 | 1063***966 |
| QQ Customer Service 11 | 12***9944 |
| QQ Customer Service 12 | Manual Recharge (3065***677) |
| QQ Customer Service 13 | New User Rewards (203****980) |
| Email Customer Service 1 | av***ir@gmail.com |
| Email Customer Service 2 | xian***shipin@gmail.com |
| 邮箱客服3 | a***win@gmail.com |
| TG群组 | lu***ir567 |
五、总结
非法直播类和视频类应用利用了人们易于被即时满足所吸引的特点,借助色情、赌博、彩票等能够给人带来一时快感的内容推波助澜,使用户在非理性的状态下即进行充值消费,从而牟取暴利。网络诱惑无处不在、五花八门,只有大家携手同行、**诱惑,才能创造出和谐向上、风朗气清的网络空间。
六、防范及处置建议
(1)封禁应用分发域名;
(2)封禁恶意传播的内容;
(3)封禁非法内容站点;
(4)深挖移动支付收款账号信息,往往背后还伴随着大规模的洗钱行为;
(5)普通用户应该提高网络安全意识,看清楚这些应用的真面目,主动防范。
*本文作者:暗影安全实验室,转载请注明来自FreeBuf.COM
评论已关闭