When bad actors use stolen or fictitious identity information to create bogus accounts, it is called fake account creation. Manual fake account creation can be a tedious and time-consuming process, resulting only in a few new registrations. Therefore, attackers automate the process of fake account creation using bots, which allows them to create thousands of fake new accounts in no time.
Fake account creation allows attackers to power a plethora of crimes such as impersonation, money laundering, bonus abuse, phishing, disseminating spam, spreading disinformation, planting malware, and so forth.
Depending on the target, seasoned attackers can create specific ‘personas’ and use them for monetary gain. For instance, a persona of a seller on an ecommerce platform can enable bad actors to post fictitious ads and induce unsuspecting buyers to pay for an item that is never delivered. Similarly, a gamer’s persona can allow bad actors to attack online gaming platforms to manipulate game results, hoard virtual currency, or exploit other users.
Easy availability of stolen consumer information combined with access to commoditized tools and cybercrime-as-a-service have made fake account creation all too easy. Further, bad actors are exploiting the convenience that digital businesses offer to prospective customers to register with minimum information – such as on dating apps – and creating fake new accounts in large numbers.
Businesses are facing a hard time trying to fight fake account creation because stringent authentication measures at sign-up may impact conversion rates, resulting in loss of business. However, lenient registration criteria can elevate the risk of bad actors taking advantage, which can eventually lead to financial and reputational damage as well as degradation of user experience.
How are fake accounts used?
Fake account creation is often a starting point for many criminal activities. Fake account creation is prevalent across industries and may be used as described below:
- Financial services sector may be targeted for financially-motivated attacks such as money laundering or applying for loans or credit cards, which can damage the credit score of victims whose PII were stolen.
- Social media platforms have seen enormous popularity among users. Attackers have taken note of this popularity and use fake account creation to extort money on false pretexts, harass other users, disseminate spam and spread disinformation.
- In the gaming industry, fake accounts can be used to manipulate the results of the game, claim fraudulent refunds resulting in chargebacks, abuse auction houses, and so forth.
- False product reviews on ecommerce platforms can tarnish a business’ reputation, whereas fraudulent sellers can dupe unsuspecting buyers into paying for counterfeit or fictitious products.
- Fake account creation is powering scholarship scams in the education industry. Fraudsters use fake accounts to avail of the financial aid, which prevents deserving candidates from finding the benefit.
Further, fake account creation is also used to power phishing campaigns with the objective of extracting sensitive information such as financial and personal details. by posing as a representative from an existing service provider. Spreading malware, astroturfing to influence public opinion, disseminating spam, and spreading disinformation are some of the other ways fake accounts are used.
How are fake accounts created?
In an attempt to attract more users, digital businesses are requesting minimum information from prospective customers. Often, all it takes to open a new account is to provide a name, email address, and a phone number. This leniency makes it super easy for bad actors to create fake accounts.
Frequent incidents of data breach have provided bad actors with access to large amounts of personally identifiable information of consumers. They use these stolen user credentials with fake or forged identity documents where registration requires submission of identity proofs. Using bots, attackers automate the fake account creation process even incorporating wait times to mimic human behavior. They can even use bots-as-a-service that comes bundled with add-ons such as CAPTCHA solvers, proxy IPs, bulk phone numbers and so forth.
Automated fake account creation involves just three steps, namely:
- Access data: Bad actors gather data, which may include stolen user information, fictitious data and a combination of both.
- Create attack script: To achieve scale and create a large number of fake accounts quickly, attackers leverage automation. They use attack scripts to quickly input data into the registration application as well as trigger CAPTCHA solvers or disposable email address services.
- Fake account creation: Using stolen details and synthetic identities along with automation, bad actors complete the user registration process. They may create fake personas using genuine user information or create multiple accounts using the same credentials. Further, they may choose to rent or buy fake accounts at certain platforms.
Tools attackers use for fake account creation at scale
Attackers can create thousands of fake new accounts in a matter of seconds with easily available tools. These tools are not only easily available but are also relatively inexpensive, which enables attackers to launch large scale attacks at the least possible investment.
Some of the popular tools used to create fake new accounts en masse include:
- Bots: Probably the most popular tool, bots are easy to use and need little input from the attacker to create thousands of fake accounts in a few seconds.
- Fraud farms: Low paid human workers, usually from economically weaker geographies, can be used for fake account creation. They are usually given a target and paid on the basis of every account created.
- Botnets: A network of infected devices under an attacker’s control is called a botnet. A botnet can enable attackers to scale up fake account creation massively.
- Cybercrime-as-a-service: Outsourced services that can facilitate fake account creation at scale are available in plenty. These paid services often have high success rates.
- Social engineering: Bad actors may even trick people into fake account creation by promising attractive returns or money.
Monetizing fake accounts
Low barriers to entry combined with high monetization potential, makes fake account creation a lucrative proposition for fraudsters. There are several ways – both direct and indirect – which fraudsters can use to monetize fake accounts.
Some of the common methods of monetization are as described below:
- Money laundering: One of the most common uses of fake accounts is to launder money by routing the loot through several accounts and obfuscating the origin of the illegitimate funds.
- Bonus abuse: Many digital businesses, especially gaming platforms, offer sign-up bonuses to attract new customers. Attackers create multiple fake accounts to pocket these bonuses.
- Free trial abuse: Companies, such as gaming and tech platforms offer free trials to premium content or compute resources, respectively to new customers. Through numerous fake accounts, fraudsters can exploit these offers several times over.
- Subscription abuse: Businesses such as streaming services offer free subscription for limited periods. Bad actors create several fake accounts to avail of these free trials only to resell them at discounted rates on third party platforms, causing revenue losses to the business.
- Selling non-existent or spurious products: Fake account creation on eCommerce platforms can be used to ‘sell’ products that may be stolen or spurious, and even non-existent products for which buyers ‘pay’ without ever receiving the product.
- Click fraud: Fraudsters make money by using multiple fake accounts to execute click fraud, causing losses to the advertiser.
- Manipulating product reviews: Using fake accounts, bad actors can deliberately berate a competitor’s product or service to tarnish the image of the business.
How fake account creation affects businesses
Fake account creation is a growing headache for businesses that are intensely competing amongst themselves to acquire more customers. Greater the user registration, higher the growth of the business. As a result, in order to reduce friction and make the registration process easier, digital businesses require minimal information at the time of sign-up. This provides bad actors with room to create fake new accounts and blend in with genuine users.
Once attackers are able to gain access to a business network, they can abuse it in numerous ways. These attacks cause financial and reputational losses to the affected business who may lose revenue due to fake product review causing negative influence on customer decision, who may take their business elsewhere.
Inaccurate data – such as number of genuine users, product ratings, surveys – can affect data analysis, which in turn can impact marketing strategies. Further, businesses may incur additional costs on customer support due to an increase in customer complaints. Fake accounts are a serious security risk for digital businesses and can even invite legal trouble.
Fighting fake account creation
Signing up for a service is the beginning of a customer’s interaction with a business. Therefore, businesses must be vigilant about who they allow in their business ecosystem. They must deploy adequate measures that help identify fake account creation without disrupting the online experience of genuine users.
To fight the menace of automated fake account creation, there are several measures that digital businesses can consider using. Some of these include:
- Detecting anomalous behavior: Unexplained spikes in sign-ups within a short span of time indicates anomalous behavior. Deploy user behavior analysis for anomaly detection and flag abnormal activity for further investigation.
- Using honeypot fields: Using honeypot fields in registration forms can help catch automated fake account creation attempts. This is because honeypot fields are visible to bots who fill out these fields unlike humans who don’t provide the information in these fields as they are invisible to the human eye.
- Verifying users: Deploy user verification methods such as email and phone verification to stop fake account creation.
- Limiting the numbers: Define a limit for the number of accounts that can be created from an IP address
- Using MFA: Multi Factor authentication adds a layer of security and obstructs bots from creating fake new accounts.
- Using reliable bot-detection solutions: Instead of using free or nearly free bot detection solutions that are no match to today’s advanced bots and end up introducing unnecessary friction, choose smart bot detection solutions such as Arkose Labs to put an end to automated fake account creation.
Shortcomings of current bot-detection solutions
Subpar defenses such as CAPTCHA can derail the efforts to fight automated fake account creation. They not only prove inadequate when it comes to providing the level of heightened security that today’s digital businesses need but also end up degrading user experience and adding to the overall costs – as companies must incur mitigation and other covert costs.
While multi factor authentication adds a layer of security, it is an expensive proposition and introduces unnecessary friction, which disrupts user experience. Further, the one time password (OTP) or code sent through SMS can be intercepted, which can defeat the purpose of this verification mechanism.
These solutions use a black-box approach, that is they do not provide explanations into how and why a session was marked risky, or why the user was identified as suspicious. This lack of insights can impede the efforts to correctly examine borderline cases that cannot be categorically called good or bad. It also impacts capabilities to fight against evolving threats.
Prevent fake account creation with Arkose Labs
Leveraging the latest technologies, Arkose Labs provides modern digital businesses with robust protection against automated fake account creation.
Instead of using an iron-hand to check fake account creation that can result in loss of genuine customers, Arkose Labs affords every incoming user an opportunity to prove their authenticity. Arkose Labs assesses the risk associated with every user and triages good users vs. suspicious traffic to tailor the response to the risk profile. Using targeted friction, Arkose Labs presents proprietary challenges – Arkose Matchkey – to the suspicious traffic to validate the true intent and stop fake account creation attempts early in the tracks.
Arkose Matchkey challenges provide digital businesses across industries with unmatched protection from automated fake account creation. Arkose Matchkey challenges offer thousands of variations to simple questions, which humans find super easy but bots and scripts fail. To automate the solution for each of the variations, attackers need to spend disproportionate amounts of time, effort, and resources, which increase the cost of the attack manifold while also delaying solving the challenges at scale. This erodes the return from the attack, forcing attackers to move on to softer targets.
Arkose Labs also shares raw signals and actionable insights with security teams to empower them to efficiently fight fake account creation powered by intelligent bots and ensure long-term protection.