In recent years, cybercriminals have become increasingly professional — fraudsters have consistently been improving their skills, making less crucial mistakes, and creating various “as-a-service” businesses to help lower-skilled threat actors launch scams and attacks, allowing the latter to run full cybercrime operations.
There are different types of cybercrime services that exist today, including malware-as-a-service, where cybercriminals develop and sell malware services to other malicious actors; the service also includes creating and spreading malware types such as ransomware on compromised hosts. Meanwhile, other services require the use of multiple social media accounts to be successfully carried out, such as misinformation, spamming, and malware propagation. Indeed, it’s not uncommon for cybercriminals to send thousands of spam messages using thousands of accounts on social media platforms. But how do they manage to automate all of it?
Recently, we came across a service that, while it is not necessarily illegal, facilitates cybercrime operations that rely on large-scale social media spamming: the Kopeechka service. In Russian, “kopeechka” means “penny.”
The service has been active since the beginning of 2019 and provides easy account registering services for popular social media platforms, including Instagram, Telegram, Facebook, and X (formerly Twitter). We also noted that registrations on chat sites aimed at minors were available via Kopeechka.
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals.
How social media platforms secure their account creation processes
Most social media platforms have taken active steps to strengthen their accounts creation security. Since a lot of cybercriminals create accounts on social media platforms for use in their illegal operations, social media companies are trying to minimize the risk of having malicious actors on their platforms — an effort that starts with the account creation process.
Different security measures exist to protect platforms against the creation of fraudulent accounts, such as the following:
- Email address validation. When registering, a user needs to prove that the provided email address exists. This is generally done with a code confirmation, where the user receives a unique URL or a code via email. Once they select this link or type the code, their account is validated.
- Phone number verification. The goal here is to compel the user to provide a real phone number that can be validated by the social media platform, typically by sending a text message with a code that the user needs to type in on the platform.
- CAPTCHA protection. Although there are different types of CAPTCHAs, the goal is always the same: to verify that a user is a real person and not a bot. Typically, users need to answer a question that cannot be answered by automated solvers.
- IP address reputation. The goal here is to establish whether the user’s IP address is clean and does not come from a proxy, a virtual private network (VPN), or any other anonymizing solution.
Depending on the targeted social platform, cybercriminals would need unique email addresses, unique phone numbers, and non-suspicious IP addresses to successfully create accounts on their own.
Although some social media platforms use CAPTCHAs to stop automated registration, this doesn’t pose a considerable roadblock for cybercriminals, as different services now exist that allow malicious actors to bypass CAPTCHAs in an automated way. The same goes for IP address-checking services, as cybercriminals can use residential proxies to bypass these measures.
Cybercriminals can therefore bypass CAPTCHAs and IP address reputation-checking tools using automated scripts. However, they still need one valid email and possibly a phone number for each account that they want to create. This is where Kopeechka comes in.
A look at the Kopeechka service
Kopeechka does not provide access to email inboxes, but it provides access to emails received from social media platforms. The service has been designed so that the mailbox account is still controlled by Kopeechka and not by any third-party user.
Kopeechka offers two types of different emails: email addresses that use their own domains, and those that are hosted on more popular email hosting services.
Kopeechka indicates the number of valid emails that it currently has in stock, as seen in Table 1. Interestingly, the majority are Hotmail and Outlook inboxes, which are Microsoft-related inboxes.