How Fraudsters Execute Account Opening Abuse
Popular websites are often targeted by threat actors who open fake accounts in large numbers. This is known as “account opening abuse.”
In our previously published blog post, we discuss what account opening abuse is, how it manifests differently across industries, and how these accounts are re-used within broader fraud schemes. This blog post, part two of this three-part blog series, will explore how fraudsters execute account opening abuse and attacks.
What are account opening abuse attacks?
Account opening abuse attacks, also known as account creation fraud, involve the creation of numerous fake user accounts on digital platforms like digital commerce, social media, and banking sites. These attacks are stepping stones to a range of harmful actions, including spamming, fraudulent activity, and the spread of misinformation.
Attackers most commonly use the fake accounts to abuse promotional offers on digital commerce sites, or to steal and compromise the personally identifiable information (PII) of legitimate users, then commit identity theft or sell the data on the dark web.
Fraud rings: Cybercriminal collaboration
Fraud rings are common in the realm of account opening abuse, in which cybercriminals join forces to maximize their illicit gains. These rings consist of individuals or groups with specialized roles that contribute to different stages of the fraudulent account creation process.
Fraudsters carry out account opening abuse in various ways, but generally start by collecting stolen PII, like names and addresses. The data generally come from various data breaches and can be bought easily on specialized web forums for hackers — both on the regular web and the dark web.
Bots are typically employed to execute these attacks, allowing fraudsters to rapidly create multiple accounts.
The validation process
Account creation workflow varies in complexity, depending on a site’s validation process:
Lower complexity: Some sites want to avoid friction as much as possible and only validate that the selected username doesn’t already exist in the system.
Average complexity: Most sites validate at least the email address provided.
Higher complexity: Banks and fintech also validate the PII supplied to open the account.
Let’s take a closer look at different scenarios and see how attackers exploit logic flaws and use other techniques to create fraudulent accounts.
Sites without email verification
In the simplest use case (Figure 1), opening an account requires very little validation beyond confirming that the same username doesn’t already exist on the site. In this situation, the attacker doesn’t need valid inboxes and can simply create random accounts on the site at will.
Sites with email verification
When email verification is enforced, the attacker must supply a valid email address for verification. Harvesting valid inboxes on legitimate email systems and harvesting fake accounts on various websites is too much for one actor – that’s where the fraud ring comes into play (Figure 2).
Email inboxes for sale
In the fraud world, like in the legitimate world, each fraudster has their specialty and sells the product of their labor (credentials) to others. A new account fraudster specializes in harvesting inboxes on legitimate email platforms, which are then sold in bulk on the dark web marketplace (Figure 2, steps 1 and 2).
An example of such a provider is hotmailbox.me (Figure 3), a subsidiary of 1stcaptcha.com, which is based in Vietnam. They use their CAPTCHA-solving technology to harvest new accounts from major email services protected with CAPTCHA products.
Fraudsters interested in creating fake accounts on various sites can acquire these inboxes (Figure 2, step 3) and use them as part of their account creation process. Based on the current price, one can buy 1,000 accounts for approximately $2.20.
Procuring disposable inboxes
Alternatively, an attacker may decide to procure disposable inboxes (Figure 4) through sites like TempMail, Dispostable (Figure 2, step 3), or another similar service. The primary purpose of disposable or temporary email services is to help legitimate users preserve their privacy when creating a new account online. But like many privacy-oriented services, they are also commonly used by fraudsters.
Creating random domains to generate fake accounts
Another technique involves creating random domains with mail exchange (MX) records through platforms like GoDaddy, Google Domains, Squarespace Domains, or similar services. Google simplifies the process by letting users easily link domains to valid Gmail accounts, facilitating the creation of hundreds of domains.
Figure 5 shows an example of an attack in which a dozen domains are used to generate hundreds of accounts. Attackers may use hundreds of domains for an attack campaign and distribute the attack traffic evenly. The broad domain distribution makes it impossible for defenders to block based on the email domain. As seen in the figure, the accounts opened with disposable domains are very sporadic and only last a few minutes at a time.
Once the inboxes are ready, the attacker leverages a botnet to handle both the account creation and the verification step (Figure 2, step 4). The list of fake accounts may be used directly by the attacker or offered for sale on the dark web marketplace for other fraudsters to carry out their own schemes (Figure 2, step 5).
Seeing expected and unexpected traffic patterns
Being able to recognize unusual traffic patterns in the various email domains is key to helping identify account opening abuses. Figure 6 shows the distribution of account creation using email addresses from a major email service (Gmail.com)over seven days. We see a regular circadian pattern (traffic that peaks during the day and decreases at night), which is the expected traffic pattern from legitimate user activity.
In contrast, Figure 7 shows account creation with emails from the icloud.com domain. The circadian pattern is somewhat visible but dwarfed by occasional sharp traffic spikes, reflecting short attacks using the popular email services. By using email addresses from a popular email service, the attacker aims to make it harder for the defender to identify the fake accounts.
The pattern of account opening with emails from uncommon domains looks drastically different. Figure 8 and Figure 9 show activity with uncommon email domains like cantuenza1.com or cpzmars.com, with short activity spikes. Both domains are registered with Squarespace Domains, which offers cheap domains with free WHOIS privacy that, in this case, helps hide the attacker’s identity.
Traffic with uncommon email domains like yahoo.gr is expected and acceptable at low volume, as shown in Figure 10. However, seeing thousands of new accounts created with uncommon email domains within a short period is highly suspicious.
Understanding more complex registration workflows
For banking sites or sites that require a subscription, users must provide more information about their identity, including home address, government-issued ID, and phone number. The site will verify the email address and the other information with some level of scrutiny.
Fraudsters who want to create new bank accounts need reasonably valid and verifiable data. In this case, the attacker is not likely to use disposable emails since they would be too obvious an anomaly for the bank security team to miss.
The attacker is more likely to use regular email services like Gmail or Microsoft Outlook (Figure 11) for this kind of attack. In this scenario, two different fraudsters may supply information upstream:
One will supply valid inboxes (Figure 7, steps 1 and 2)
The other will supply PII that may have been harvested through major data leaks (Figure 11, step 3)
Fraudsters who open bank accounts and take advantage of promotional offers acquire both datasets from the dark web and combine them to create a synthetic identity (Figure 11, step 4).
For websites that require phone verification to open an account, the fraudster would generally provide their own mobile phone number. The more advanced account verification step can then be carried out through human labor.
Stay tuned for more
As we’ve seen, the attack complexity may vary depending on the workflow the targeted site enforces when a user creates an account. One thing however these attacks have in common is the structure of the email address. The handle (or local part) is often atypical and includes some randomization patterns. We’ll discuss this more in part three of the series, and present ways to defend your organization against account opening abuse.
To speak with someone about account opening abuse, call your Akamai account representative or talk to an expert now.