Fake accounts once registered and trusted act like sleeper cells, under the radar until activated by bots.

Malicious actors use fake accounts to impersonate real users, leading to identity theft and fraudulent activities within your platform

Fake user accounts used to be easy to spot. Automated bots would register for your service, but would leave tell-tale signs they are fake. For example, they would use gmail or hotmail accounts with numbers, e.g. 2234208080@hotmail.com and they would also all register in a very short space of time, at very regular intervals in a way that is obviously fake and automated. The hackers are relying on the fact that many sites don’t vet each and every registration, and they know they can simply hide in the volume of daily registrations. Today the bots are much smarter and the registrations tend to look at lot more organic.The volume of registrations is spread out, and they use more natural emails, or even - see below - fake emails from stolen IDs or fullz.

How do cybercriminals make money from fake accounts?

One of the most common methods is to trigger the dormant fake accounts into action on a specific event that exploits gaps or inconsistencies in the value chain. For example, high-value items with a likely resell value several times in excess of the purchase price can be exploited for commercial gain. Taylor Swift tickets, Nike sneakers, all have had high profile bot attacks. Sports betting accounts are also riddled with fake accounts. Criminals trigger each of the fake accounts to place relatively small bets from the actual game-side - knowing that the TV coverage occurs a few seconds later - giving a tiny window to exploit the odds in the favour of the cybercriminals. In both cases, the bots are using an account that transacts, they do actually purchase the items - however the actual purchase is triggered from a bot - similar to the popular sniping software from online auction sites such as ebay, that automates last second bids.

Fake accounts for media sites hide behind the paywall as legitimate users. If one account was created, and simply scrapes the online content, it would be quickly discovered. The hackers use many accounts to distribute the content load amongst the accounts, so they just look like normal, albeit dedicated and conscientious readers. However, in sum, each and every day, the entire contents behind the paywall are being scrapped by the bot army of fake accounts. While the actual commercial loss may not be massive, the brand damage and loss of trust can be catastrophic.”

Social Media Impostors

‍

One prevalent form of fake account, as Elon Musk has found out with X (aka Twitter) are fake social media accounts and impostors. These bot activated impostors mimic well-known personalities, celebrities, or public figures to attract followers, spread false information, or scam unsuspecting users. These accounts often use bots to transmit fake messages - e.g. investing in the latest crypto-schemes.

‍

Spam and Phishing Attacks from Fake Emails

‍

Fake email accounts can be used to send spam messages or phishing emails to genuine users, compromising their personal information and data security. These accounts are created to trick recipients into believing that the sender is someone they know or a legitimate organization. They can also be used to create fake accounts, register for a service, and then use bots to take advantage of the registered service. For example, a bot use the fake ID, or fullz data to register and then scrape data from behind a firewall, steal data about other users, or buy high value tickets and other items for re-sale, once inside the protected domain.

‍

Distorted Analytics and Vanity Metrics

‍

Fake accounts can skew user engagement metrics and analytics, making it challenging to obtain accurate data for decision-making processes. This can be challenging in a corporate setting. For example, if one of the company OKRs is setting marketing goals for registrations, engagement or user growth, removing these fake accounts can negatively impact on reported metrics.Investing in bot detection software offers several invaluable benefits for your online business:

1. Improved Website Security

Bot detection software acts as a digital shield, protecting your website from unauthorized access and potential cyberattacks. It identifies and blocks harmful bots, ensuring that your sensitive data remains secure.

2. Enhanced User Experience

Malicious bots can slow down your website, leading to a poor user experience. Many sites punish legitimate users by putting into place extensive two-factor authentication, hard to use CAPTCHA, pointless rate limits across the entire website, and other obstacles for all users, regardless of who they are. By employing bot detection software, you can optimize your website's performance and provide a seamless browsing experience for all your visitors.

3. Decreased Server Maintenance, lower costs

Bot spikes can cause all sorts of maintenance issues. The sudden volumes of traffic can overwhelm servers, or cause issues as your elastic compute auto-scales and fire-up new nodes, causing additional expenses and increased maintenance. Verifying bots using log data, is time consuming and fraught with identify issues. Malicious bots often impersonate common bots that you don’t wan’t to allow on your site. Many sites have whitelisted bots disguised as legitimate services, only to have their entire web site crawled or worse.

Bot Automated Account Creation

‍

Most fake accounts are generated through automated bots. Hackers and cybercriminals use sophisticated bots to create many fake profiles rapidly.

‍

Use of Bots

‍

Bots are programmed to register online for a service. This fake account creation is made to look like a real user. Bots can use captcha farms - outsourced real human captcha solvers, or are programmed to pass the captcha. Many sites use an alternative audio capture for accessibility reasons. Bots can easily use AI voice recognition to listen and complete the audio captcha. They can also be programmed to respond to SMS authentication requests using a range of mobile numbers assigned to fake registrations.

‍

Identity Theft

‍

In some cases, fake accounts are established through identity theft. Stolen personal information is used to create convincing profiles that can be leveraged for nefarious purposes. See the Blog article on how hackers obtain millions of fake ID packages containing comprehensive stolen Personal Identifiable Information (PII)

Email Verification and Validation

✅ Implement a robust email verification process during account registration to ensure that users provide valid and active email addresses.

❌ Why email verification FAILS

❌ The email passes the verification, it's just a fake email.

✅ Phone Number Verification and OTP Password, Utilize phone number verification through OTP (One-Time Password) to add an extra layer of security and prevent automated fake account creation.

❌ Why OTP verification FAILS

❌ The cyber criminals use burner phones and respond to the OPT.

✅ CAPTCHA Challenges. Integrate CAPTCHA challenges at critical junctures to deter bots and automated scripts from registering fake accounts. ❌ Why CAPTCHA FAILS

❌ the bots pass CAPTCHA.

✅ Authenticator Two-Factor- Authentication: Using a robust authenticator is probably the most effective way of managing and authenticating users.

❌ Why Authentication FAILS

❌- Forcing authenticator registration of all users may be a real issue for access. User acceptance may be strong for banking, financial services, and security use cases, but user resistance for general e-commerce and associated conversions may well be severely affected. Don’t forget, Bots can also be programmed to pass the authenticators! Setting up fake authenticated accounts with multiple emails is more work, but still easy to do.

✅ Manually Inspecting Logs and User Profiles: It’s true that fake accounts may have incomplete or inconsistent profile information, raising suspicions about their authenticity.

❌ Why Manually Inspecting Logs FAILS

❌ However, inspecting these manually if you more than a few thousands registrations is a herculean task. Humans don’t enjoy registering for services, and will likely have all sorts of inconsistencies with their profile.

✅ IP Address Monitoring: Manually monitoring IP addresses for suspicious activities, such as multiple account registrations from the same IP, which could indicate potential bot involvement is possible.

❌ Why IP monitoring FAILS

❌ However, doing this manually with many thousands of accounts is very hard, and most sophisticated bots rotate IPs constantly.

✅ Unusual Behaviour: Accounts that exhibit unusual patterns of activity is a good tell-tale sign that the account is fake. However, this is again very difficult to spot, unless the account is massively abusing your service.

❌ Why manual detection FAILS

❌ Account usage genuinely does vary enormously across our human population. People use their accounts in all sorts of different ways. Without bot management tools, this is a really complex problem to solve manually.

✅ Rate Limiting: Enforce rate limiting for account registration attempts to prevent bots from overwhelming your system with numerous requests.

❌ Why rate limiting is a total FAIL

❌. Punishing all users because you can’t identify the bots is a total fail. The rate-limiting doesn’t stop the bots, it just slows down all your traffic.

Auditing and verifying the identity of individuals manually, or performing spot audits on a sample of your registration can definitely help.

‍

The manual audit may reveal that fake accounts do exist in the sample, and from there, it’s possible to size and scope the extent of the issue based on the total registrations and sample size.

‍

Strict user identity verification, for sensitive transactions or activities that require higher security measures is certainly possible. However, manual methods, such as instigating a phone call with each new registration to verify each and every account is a lot of work. It will only make sense if you have a relatively small amount of high-value accounts.

‍

A manual check may reveal that the registration mobile credentials are real, but the customer never picks up the phone. In all likelihood you suspect the mobile is just a burner phone used for fake account creation. The problem is many legitimate customer don’t respond to mobile messages either.

‍

The good news a thorough audits really should pick up some fakes. Positively identifying a ‘genuine’ fake is very helpful, as you can then understand more about the fake account creation process, to uncover a pattern that may identify other accounts. Manual verification can absolutely make business sense according to the context.

We’ve seen how most of the traditional methods fail. How can VerifiedVisitors and bot management software help to fight the bots and prevent fake accounts?

‍

Zero Trust at the Edge of Network

‍

Stopping bots at the edge of network greatly reduces the cybercriminals ability to create and then activate bot based attacks.

‍

Reconnaissance Bots

‍

Creating fake accounts and then activating them automatically takes some time, even with bot automation. Hackers will typically send out some test scripts to see if their automation bots are picked up and stopped on their victim’s target site. Zero tolerance on core login paths acts as a strong deterrence. With no obvious vulnerabilities, the cybercriminal may decide to move onto an easier target. So many sites are wide-open, so why swim against the tide?

‍

If Cyber criminals are able to get through the first line of defence and your company doesn’t have a zero trust at the edge of network policy, the cybercriminals can move onto the actual fake accounts creation automation. Making it impossible to automate the account creation in the first place, will make it very difficult for the hackers and may well encourage them to try elsewhere.

VerifiedVisitors has an account take over rule, specifically looking for automated activity on login paths. These detectors compare the actual hardware and software platform using a device fingerprint against their stated user agent type, and looks at behavioural factors, as well as the digital provenance of the traffic. All these factors are then taken into account by the Machine Learning, to produce an overall threat score. As the bots try and hit the accounts page they are blocked at the network edge, before they even have a chance to create an account.

At this stage, the cybercriminals will know they are up against a sophisticated adaptive defence that specifically preventing login access.

They cybercriminal is now faced with a tough choice. They are forced to create the fake accounts totally manually one-by one. However, they also now know that when it comes to logging into and triggering the fake accounts to commit the fraud events, they are likely to be stopped

If the cyber criminals decide to go ahead and manually create fake accounts, they will also probably bypass all the traditional two-factor authentication methods on your site. Typically fraudsters use a few hundred fake accounts. They use these to disguise login as they attempt brute force attacks, and also to launch their own attacks from these fake accounts

Adopting a zero tolerance mindset, means presuming that our accounts may at some point suffer from breaches. Behavioural analysis of the common paths and navigations routes across web sites uses Machine learning at massive scale to understand the regular user distributions, and then look for the tell-tale signs of auto-mated bot activity. Simple bots give the game away by navigating too quickly from one destination to the other. They may lack mouse trails, or even fake the mouse trails in an unconvincing way. The behavioural analysis is a very powerful way of detecting anomalous activity from within a mass of traffic or even API service that is plagued with data mining. Once an audit discovers a fake account, the behavioural analysis can be used to look for similar behavioural patterns from the know fakes

At VerifiedVisitors we do love an audit. Time and time again, we’ve seen how a simple bot audit can pick up fake account creation, leading to exposure of fraudulent accounts. Conduct regular security audits of your accounts to identify vulnerabilities and potential weaknesses in your platform's security measures. Adopting a zero trust mentality, and audit testing each of your protection layers, is a tried and trusted formula for success

Fake accounts are a real problem for many companies. Adopting a zero trust mindset, and undertaking audits at each stage of your security layers will help you identify fake accounts. VerifiedVisitors has a free 30 day bot audit, and has sophisticated state of the art bot management tools to stop bot based fake account activity all at the edge of network, before any harm can be done

VerifiedVisitors protects all your endpoints - API, & websites across the hybrid cloud - all with no software to install in milliseconds. Adding zero tolerance at the network edge greatly increases your overall security footprint, preventing bot attacks and fraud before they can do harm.