If it often seems as though there’s a lot of fake content across the internet, it’s because there is. Many types of online fraud—including fake content—originate by creating fake user accounts. It’s not hard to create one or two fake user accounts. You might have multiple accounts on one platform or another already. But this isn’t a story about second Twitter accounts, this is a story about thousands upon thousands of fake accounts.
Large-scale fraud, especially when the intent is to make something look popular or to represent a crowd, is often carried out through automated account creation. And anything that’s worth doing for a fraudster, like creating a fake account to use to post a fake product review, is worth scaling up and doing many, many times over. But rather than creating thousands of fake accounts manually, it’s the work of bots to create those accounts.
Sophisticated bots will often go through the account creation process to abuse incentive or discount programs, create and send spam, manipulate content, or even launder money through puppet (fake or compromised) accounts.
It’s the same way humans create accounts, only done much faster and more frequently with bots. The business logic of simple signup forms that require a username and password can be easily understood, making it possible to automate the signup process. Fraudsters can even incorporate wait times on automated signup to more accurately mimic a human.
Fraudsters also often have access to even more complex bots-as-a-service. Those fraud services often charge based on the number of new accounts that are being created, as well as the inclusion of bundled add-ons, such as:
Automated account creation can be monetized through a variety of means. One of the simplest examples is buying followers on social media platforms. If you went through the motions to buy 1,000 new followers, odds are most of those accounts were created and operated by a bot.
Incentive programs and limited-time discounts are another way for fraudsters to monetize their efforts. Many apps now offer referral fees or discounts to new users. Fraudsters who use bots to create a fleet of new accounts can take advantage of both and use a service for free–until they get caught.
Since bots and services can be purchased as a commodity, it is easy for fraudsters to operate like a business and find profit in these activities.
There are several steps companies can take today to reduce the risk of automated account creation on their web applications:
To start with, fraud and security analysts should monitor spikes in anomalous behavior. Has there been an influx in new registrations in a short timespan? Have many users been exhibiting similar behavior in a short timespan (such as posting five star reviews with similar wording)?
Identifying anomalous activities helps identify leads and to investigate potentially fraudulent accounts, and to shut them down retroactively.
The most effective way to stop automated account creation is to detect and mitigate the automation in the first place. This is easier said than done. While tools like CAPTCHA may catch basic bots and automated scripts, they can be bypassed with ease.
Since bots-for-sale services offer access to compromised machines across the world, advanced detection is needed so that you can detect bot activity that stems from the same device as genuine human behavior, no matter where the request originated.
HUMAN identifies sophisticated bots that attempt to go through the account creation process so you can prevent automated account creation and maintain the integrity of your applications.
To learn how our approach is different, get a complimentary copy of Enterprise Strategy Group’s Solution Showcase: Securing Applications from Sophisticated Bot Attacks with HUMAN.