Mr. Li from Beijing wanted to register with a well-known hospital, but failed to register for 2 consecutive weeks. In desperation, Mr. Li could only seek the help of "number dealers", and finally bought a number with an increase of 500 yuan. This not only wastes Mr. Li's time, but also increases the cost of treatment, which has a certain impact on his physical and mental health.
The Dingxiang Defense Cloud Business Security Intelligence Center found that since November 2022, multiple sources of high-quality medical registration platforms have always been snatched up. "Hand. "Number traffickers" hoard high-quality number sources by cheating, and then resell them at high prices to make a profit. This behavior caused many medical registration websites to fail to register normally, seriously disturbing the medical order, and even leading to serious consequences of leaking platform user information in batches.
Rampant "number traffickers "
On the social network platform, after entering keywords such as "Beijing registration", "registration appointment" and "registration agency", you can find the traces of the dealers. Some number dealers even directly use promotional slogans such as "registration at a certain hospital", "assisting in registration", "running errands for registration", and "fee for registration".
"Number traffickers" are those who trade numbers in large hospitals that are short of number sources. They either hire people to queue up all night, or use the Internet and other channels to first occupy the number sources. Some collusion with hospital staff is not ruled out. When the situation happens, then the price will be increased to sell the number of experts in the queue to the patients in need, and make a profit from it. Organizers can earn tens of thousands of dollars a month from an expert.
Many "number traffickers" are packaged as medical practitioners. For example, it listed more than a dozen Beijing tertiary hospital directories and a list of well-known experts in certain departments, and then claimed that "how can Beijing hospitals get registered", "outpatient plus and special needs plus are strong points, difficult jobs to find We are right", "Professional agent number of experts in major well-known tertiary hospitals in Beijing"... Finally, contact information such as mobile phone number and WeChat ID will be attached.
On May 4, 2016, the National Health and Family Planning Commission and other eight departments jointly issued a special action plan for centralized rectification of "number traffickers" and "network medical care". The eight departments set up a special work coordination office, and clearly divided into three stages Strictly crack down on "number traffickers". In the future, relevant departments will also establish a blacklist of "number traffickers" and include them in the social credit system. Under the joint attack of many national departments, the "number traffickers" disappeared for a while.
With the establishment of Internet hospitals and the popularization of online appointment and registration services, number traffickers have become active again. With the Internet as a cover, the information level of number traffickers' means of grabbing numbers is also increasing day by day. Some number traffickers use customized illegal software to attack the official registration platform to grab numbers.
On October 14, 2019, the Beijing Dongcheng District People's Court sentenced Gao and three other "number traffickers" to 9 months to 1 year and 6 months in prison for the crime of sabotaging computer information systems. In August 2021, in a criminal case concluded by the People's Court of Xicheng District, Beijing, "number trafficker" Sun ordered others to make software for grabbing numbers, which broke through the protection measures of the background server of a hospital in Beijing and grabbed numbers for profit. For the crime of destroying computer information systems, Sun was sentenced to 2 years in prison, and Shao was sentenced to 1 year and 6 months in prison.
The operation path of "number traffickers "
Since November 2022, Dingxiang Defense Cloud Business Security Intelligence Center has successively discovered that multiple registration service platforms have batch grabbing behaviors, seriously affecting the business operations of the registration platforms.
"Account traffickers" have their own marketing staff. They trade through social software such as Weibo, WeChat, and QQ. They also open WeChat public accounts, where they directly sell registration services and maintain long-term customer relationships.
1. The patient contacts the "number trafficker" through social platforms and community forums.
2. The "number trafficker" understands the hospital, date, doctor and other information that the patient needs to register, and requires the patient to pay in advance. Generally, the service fee is added to the original registration fee, and the price increases range from tens to hundreds of yuan according to the difficulty of the number source grabbing the number. Number traffickers, promise to get a full refund if the number is not listed.
3. Then, the "number dealer" asked the patient to provide personal privacy information such as name, mobile phone number, ID number, and even the account number and password of some registration platform.
4. The "number trafficker" will synchronize the order number information to Heihuichan, including the specific department, doctor, time period and other specific number source information, as well as the personal information of the patient who placed the order.
5. Heihuichan enters the patient information to grab the number. After grabbing the source of the number, the patient can see it in his registration platform account; if the patient information is not provided in advance, the number trafficker will use other personal information to grab the number, and some patients buy it. After the number, urgently cancel the number, and then quickly use the patient information to get it back. If you can't find a patient buyer, cancel the registration before the expiration date. During the transaction process, black products can easily obtain a large number of real patients' personal information, account numbers and passwords, and expand their own account grabbing information database.
The cheating tools used by the gang behind the "number traffickers"
The black and gray production team behind the "number traffickers" has professional registration equipment and software for grabbing numbers, and earns service fees by grabbing numbers on behalf of them. They have their own marketing staff, conduct transactions through social software such as Weibo, WeChat, and QQ, and open a WeChat official account to directly sell registration services on it and maintain long-term customer relationships.
Many "black and gray products" use the spike device to occupy the number source first, and then go to do business. Gray production can quickly register with the patient’s ID card information at the same time, and in this way guarantees the successful registration rate. The fee is generally a service fee on top of the original registration fee, and a few more according to the difficulty of the source of the number. It ranges from ten to several hundred yuan.
Heihui has professional cheating tools such as professional automated scripts, equipment farms, proxy/second dial software, and coding platforms.
Grabbing number software. Conventional registration business process, choose a doctor-select time-submit an appointment, the automatic registration software formulates a script program, and automatically realizes the repeated submission of an appointment. It takes 2-5 minutes for ordinary users to complete the process. The registration software of number dealers can simulate human operations, automatically log in, choose a doctor, choose a time, and submit an appointment. Thousands of registration behaviors can be completed in 2-3 seconds. Hundreds of people make an appointment to register, and this has led to the phenomenon that many times the appointment number is just released, and then the appointment is completed.
Heihuiyan uses packet capture tools such as Charles and Brup to analyze the registration software's requests, and then uses scripts to simulate the registration behaviors of registration platform login, doctor selection, time selection, and appointment submission, and batch automation through scripts.
Since most hospitals have successively adopted real-name authentication measures, patients are required to provide personal information, including patient name, mobile phone number, ID number, platform account number, password and other personal privacy information.
In response to the requirement of face verification for registration, Heihuichan will also require patients who need to register to record cheating face videos in advance, bypass the face verification method of the registration platform, and hijack the registration page and obtain the account number through scripts. source.
Group control platform. The group control platform refers to the ability to control hundreds to tens of thousands of mobile phones in batches through a computer. Through the group control tool, one terminal can control multiple mobile phones. It can be matched with the machine modification tool in a short time. Manufacture thousands of different device information. Combined with proxy IP software, switch IP addresses in seconds. It is possible to switch a large number of patient information in a short period of time for number grabbing.
Proxy/second dial software. The Miaodial software can call domestic and even foreign ADSL broadband dynamic IP resources. By using the Miaodial client software, the hackers can realize the "automatic switching", "second-level switching", and "disconnection" of IP with simple configuration. Redial" and other services. Relevant defense strategies that can be used to circumvent the restrictions on the frequency of IP address access by the registration platform.
coding platform. The coding platform is mainly a workbench for data entry, and its topics are mainly derived from the text, images, coordinates, etc. in the verification codes of the verification links of each platform. Verification coding is a fully automatic program of verification codes that distinguishes whether the user is a computer or a human. This question can be generated and judged by a computer, but only a human can answer it. The verification codes that are technically unrecognizable in black production are usually cracked by manual coding.
How to effectively manage "number traffickers"
How to ensure the fairness and rationality of hospital registration should arouse the great attention of the hospital and the government. On the one hand, hospitals should strengthen the security and management mechanisms of their registration systems, and try to avoid black market transactions and registration information leakage. On the other hand, the government should guide all sectors of society to participate in improving the status quo of medical resource allocation, increase the crackdown on "number traffickers" and illegal operators, and safeguard the legitimate rights and interests of patients.
First of all, hospitals need to strengthen the security of the online registration system. Advanced technical means can be introduced, such as face recognition, graphic verification codes, etc., to increase the difficulty of patient registration, thereby reducing the chance of scalpers. At the same time, establish an effective supervision mechanism to strictly manage and protect patient information to avoid hacker attacks and data leakage.
Secondly, hospitals should strengthen communication and exchanges with patients and release information in a timely manner. Hospitals can release expert scheduling information and registration time to patients through various methods such as WeChat official account, SMS, and telephone, and regularly update the waiting status and reminders for canceling appointments. This can prevent patients from choosing to buy scalper tickets due to the long queue time, and it is also convenient for patients to understand the situation and make reasonable decisions.
In addition, the hospital's queuing mechanism can be optimized to adopt a first-come, first-served system, reducing the possibility of internal relationships and network interference . At the same time, hospitals can appropriately increase the number of appointment registrations to avoid excessive concentration of registration resources, resulting in no tickets to register, thus providing an opportunity for number traffickers.
Finally, the government and public security departments should also step up their efforts to crack down on the illegal and criminal acts of the scalpers, and increase the punishment for the scalpers. For example, strengthen inspections, launch online tracking and crackdown on number traffickers online, and break the black production chain of their acquisition and reselling.
In short, it is a very bad thing for "number traffickers" to resell the source of numbers, which not only costs patients money, but also seriously disrupts the consultation process. Therefore, the hospital and the government should jointly take effective measures and continuously improve the online registration system to crack down on traffickers, protect the interests of patients, and build a harmonious medical environment.
Prevention and control suggestions on the technical side
In view of the characteristics of the above-mentioned "number traffickers" and the risk characteristics of brushing and grabbing numbers, Dingxiang Defense Cloud Business Security Intelligence Center recommends:
Ensure client security. From the perspective of client security, it is recommended to add terminal reinforcement to both the IOS channel and Android channel of the APP. Through reinforcement technology, terminal security protection can be achieved, such as DEX file protection, SO file protection, resource file protection, data file protection, etc. on the Android side for deep obfuscation, Reinforced protection prevents hackers from directly reverse-engineering and cracking the APP.
Ensure the security of communication transmission. After the environment detection module is added to the terminal, the data generated by the environment detection module is often not bound to the business data. Fraudulent use.
Protection by IP address and mobile phone number. Based on risk control data and historical user data, the corresponding black and white list data is deposited and maintained, including user ID, IP address, device ID, patient ID number, contact phone number and other data dimensions. In addition, when number traffickers use automated programs to attack, in order to avoid relevant IP address frequency restriction prevention and control strategies, they usually choose a combination of IP proxy pools. High-frequency access is achieved by switching massive IPs in seconds, and such risky IPs can be covered by using the IP black library.
Detect device-side risks. Detect the operation of the device, identify whether the fingerprint ID is legal, whether the terminal has features such as group control, debugging, simulator, injection, VPN, proxy, etc., restrict the same device from trying to log in to a large number of accounts in a short time, and switch a large number of IPs and IPs in the same device in a short time Behavior dimension detection such as short-term high-frequency visits, limit the number of short-term password errors for the same account in the login scenario, and associate a large number of different patient information with the device in the registration scenario.
Defense through login. "Account traffickers" mainly steal accounts through automated procedures of credentialing and password blasting in the login process, and use automatic registration machines to rob accounts in batches in the registration process. For the identification of machine behavior, the lightly deployed and simplest identification tool is the behavior verification code. Adding the behavior verification code to the request for man-machine verification in the login and registration links can effectively intercept such trafficker attacks.
Prevent through risk control rules. Through the engine configuration login scenario anti-collision library, anti-password blasting and registration scenario anti-account smugglers grabbing account policy rules, risk prevention and control is carried out from the dimensions of device behavior, user behavior, and IP address risk, and risk stratification is carried out for requests. The business end combines the risk levels returned by the engine for hierarchical processing.
Build your own model. After the online data has accumulated to a certain extent, the user behavior is modeled through the risk control data and business precipitation data, and the output of the model can be directly used in the risk control strategy.
CSDN Live Room:
https://live.csdn.net/room/dingxiangtech/hUICmhmc