Need cloud computing? Get started now

How Fraudsters Execute Account Opening Abuse

David Senecal

Written by

David Sénécal

October 19, 2023

David Senecal

Written by

David Sénécal

David Sénécal works for Akamai as a Principal Product Architect — Fraud and Abuse. He is passionate about improving internet safety and is an expert in online fraud and bot detection. He has 20+ years of experience working with web performance, security, and enterprise networking technologies through various roles, including support, integration, consulting, development, product management, architecture, and research.

In the fraud world, like in the legitimate world, each fraudster has their specialty and sells the product of their labor (credentials) to others.

Popular websites are often targeted by threat actors who open fake accounts in large numbers. This is known as “account opening abuse.”

In our previously published blog post, we discuss what account opening abuse is, how it manifests differently across industries, and how these accounts are re-used within broader fraud schemes. This blog post, part two of this three-part blog series, will explore how fraudsters execute account opening abuse and attacks.

What are account opening abuse attacks?

Account opening abuse attacks, also known as account creation fraud, involve the creation of numerous fake user accounts on digital platforms like digital commerce, social media, and banking sites. These attacks are stepping stones to a range of harmful actions, including spamming, fraudulent activity, and the spread of misinformation.

Attackers most commonly use the fake accounts to abuse promotional offers on digital commerce sites, or to steal and compromise the personally identifiable information (PII) of legitimate users, then commit identity theft or sell the data on the dark web.

Fraud rings: Cybercriminal collaboration

Fraud rings are common in the realm of account opening abuse, in which cybercriminals join forces to maximize their illicit gains. These rings consist of individuals or groups with specialized roles that contribute to different stages of the fraudulent account creation process.

Fraudsters carry out account opening abuse in various ways, but generally start by collecting stolen PII, like names and addresses. The data generally come from various data breaches and can be bought easily on specialized web forums for hackers — both on the regular web and the dark web.

Bots are typically employed to execute these attacks, allowing fraudsters to rapidly create multiple accounts.

The validation process

Account creation workflow varies in complexity, depending on a site’s validation process:

  • Lower complexity: Some sites want to avoid friction as much as possible and only validate that the selected username doesn’t already exist in the system. 

  • Average complexity: Most sites validate at least the email address provided. 

  • Higher complexity: Banks and fintech also validate the PII supplied to open the account.

Let’s take a closer look at different scenarios and see how attackers exploit logic flaws and use other techniques to create fraudulent accounts.

Sites without email verification

In the simplest use case (Figure 1), opening an account requires very little validation beyond confirming that the same username doesn’t already exist on the site. In this situation, the attacker doesn’t need valid inboxes and can simply create random accounts on the site at will.

A fraudster using invalid email addresses Fig. 1: A fraudster can use invalid email addresses when the site doesn’t enforce email validation

Sites with email verification

When email verification is enforced, the attacker must supply a valid email address for verification. Harvesting valid inboxes on legitimate email systems and harvesting fake accounts on various websites is too much for one actor – that’s where the fraud ring comes into play (Figure 2).

Account opening abuse of major email services Fig. 2: Account opening abuse with email validation

Email inboxes for sale

In the fraud world, like in the legitimate world, each fraudster has their specialty and sells the product of their labor (credentials) to others. A new account fraudster specializes in harvesting inboxes on legitimate email platforms, which are then sold in bulk on the dark web marketplace (Figure 2, steps 1 and 2).

An example of such a provider is hotmailbox.me (Figure 3), a subsidiary of 1stcaptcha.com, which is based in Vietnam. They use their CAPTCHA-solving technology to harvest new accounts from major email services protected with CAPTCHA products.

Account resells on hotmaibox.me Fig. 3: hotmaibox.me resells Outlook email accounts

Fraudsters interested in creating fake accounts on various sites can acquire these inboxes (Figure 2, step 3) and use them as part of their account creation process. Based on the current price, one can buy 1,000 accounts for approximately $2.20.

Procuring disposable inboxes

Alternatively, an attacker may decide to procure disposable inboxes (Figure 4) through sites like TempMail, Dispostable (Figure 2, step 3), or another similar service. The primary purpose of disposable or temporary email services is to help legitimate users preserve their privacy when creating a new account online. But like many privacy-oriented services, they are also commonly used by fraudsters.

Email service portal dispostable.com Fig. 4: dispostable.com is a disposable email service portal

Creating random domains to generate fake accounts

Another technique involves creating random domains with mail exchange (MX) records through platforms like GoDaddy, Google Domains, Squarespace Domains, or similar services. Google simplifies the process by letting users easily link domains to valid Gmail accounts, facilitating the creation of hundreds of domains.

Figure 5 shows an example of an attack in which a dozen domains are used to generate hundreds of accounts. Attackers may use hundreds of domains for an attack campaign and distribute the attack traffic evenly. The broad domain distribution makes it impossible for defenders to block based on the email domain. As seen in the figure, the accounts opened with disposable domains are very sporadic and only last a few minutes at a time.

A list of email domains showing tags and requests Fig. 5: Large attack using several disposable email domains

Once the inboxes are ready, the attacker leverages a botnet to handle both the account creation and the verification step (Figure 2, step 4). The list of fake accounts may be used directly by the attacker or offered for sale on the dark web marketplace for other fraudsters to carry out their own schemes (Figure 2, step 5).

Seeing expected and unexpected traffic patterns

Being able to recognize unusual traffic patterns in the various email domains is key to helping identify account opening abuses. Figure 6 shows the distribution of account creation using email addresses from a major email service (Gmail.com)over seven days. We see a regular circadian pattern (traffic that peaks during the day and decreases at night), which is the expected traffic pattern from legitimate user activity.

Request by Custom Rules from domain Gmail.com Fig. 6: Account creation pattern with emails from the domain Gmail.com

In contrast, Figure 7 shows account creation  with emails from the icloud.com domain. The circadian pattern is somewhat visible but dwarfed by occasional sharp traffic spikes, reflecting short attacks using the popular email services. By using email addresses from a popular email service, the attacker aims to make it harder for the defender to identify the fake accounts.

Request by Custom Rules from domain icloud.com Fig. 7: Account creation pattern with emails from the domain icloud.com

The pattern of account opening with emails from uncommon domains looks drastically different. Figure 8 and Figure 9 show activity with uncommon email domains like cantuenza1.com or cpzmars.com, with short activity spikes. Both domains are registered with Squarespace Domains, which offers cheap domains with free WHOIS privacy that, in this case, helps hide the attacker’s identity.

Request by Custom Rules from domain cantuenza1.com Fig. 8: An account creation pattern with emails from the domain cantuenza1.com
Request by Custom Rules from domain cpzmars.com Fig. 9: An account creation pattern with emails from the domain cpzmars.com

Traffic with uncommon email domains like yahoo.gr is expected and acceptable at low volume, as shown in Figure 10. However, seeing thousands of new accounts created with uncommon email domains within a short period is highly suspicious.

Request by Custom Rules from domain yahoo.gr Fig. 10: Account creation pattern with emails from the domain yahoo.gr

Understanding more complex registration workflows

For banking sites or sites that require a subscription, users must provide more information about their identity, including home address, government-issued ID, and phone number. The site will verify the email address and the other information with some level of scrutiny.

Fraudsters who want to create new bank accounts need reasonably valid and verifiable data. In this case, the attacker is not likely to use disposable emails since they would be too obvious an anomaly for the bank security team to miss.

The attacker is more likely to use regular email services like Gmail or Microsoft Outlook (Figure 11) for this kind of attack. In this scenario, two different fraudsters may supply information upstream:

  • One will supply valid inboxes (Figure 7, steps 1 and 2)

  • The other will supply PII that may have been harvested through major data leaks (Figure 11, step 3)

Fraudsters who open bank accounts and take advantage of promotional offers acquire both datasets from the dark web and combine them to create a synthetic identity (Figure 11, step 4).

Account opening abuse of major email services Fig 11: Account opening abuse ring for more complex registration workflows

For websites that require phone verification to open an account, the fraudster would generally provide their own mobile phone number. The more advanced account verification step can then be carried out through human labor.

Stay tuned for more

As we’ve seen, the attack complexity may vary depending on the workflow the targeted site enforces when a user creates an account. One thing however these attacks have in common is the structure of the email address. The handle (or local part) is often atypical and includes some randomization patterns. We’ll discuss this more in part three of the series, and present ways to defend your organization against account opening abuse.

To speak with someone about account opening abuse, call your Akamai account representative or talk to an expert now.



David Senecal

Written by

David Sénécal

October 19, 2023

David Senecal

Written by

David Sénécal

David Sénécal works for Akamai as a Principal Product Architect — Fraud and Abuse. He is passionate about improving internet safety and is an expert in online fraud and bot detection. He has 20+ years of experience working with web performance, security, and enterprise networking technologies through various roles, including support, integration, consulting, development, product management, architecture, and research.