Analysis: Preventing Fake Account Creation and Romance Scams

September 4, 2019 | by CQ Prime Threat Research Team

Romance Scams

Average Theft Prevented Per Romance Scam: $12,000

Credentials represent one of the Four Pillars of Detection that the CQ Prime Research Team uses to help our customers understand and ultimately prevent automated bots and the associated fraud. It’s common knowledge that credentials are used to create fake accounts in an automated manner to achieve fraudulent goals such as spreading (dis)information on social media or scamming companies out of sign-up bonuses and referral bonuses.

One of the more elegant and financially lucrative fraudulent outcomes that can be achieved through manual, or semi-manual fake account creation are romance scams executed through relationship sites. Executing a romance scam requires the bad actor to analyze and understand the relationship site account registration business logic, finding potential holes that can be exploited to achieve the end goal.

Today we will discuss how our analysis of anomalies inside the (account) registration payload, and the associated attacker behavior allowed us to detect and mitigate a sophisticated, multi-application fake account creation and romance scam campaign.

The methodology of the bad actor, and the logic they abused in the defenses, can be best described as a thief who finds the front door locked, but through a bit of investigation, finds a side window open. With the scene of this analogy set, let’s dive into the details of how attackers abused the registration APIs to accomplish their goal of creating fake accounts.

First, the bad actors tried to enter the site through the main web registration page (front door) which was instrumented with device/browser fingerprinting and JavaScript-based telemetry designed to prevent automated signup fraud. The bad actors filled in the registration form manually through a technique best described as keyboard smashing to produce random character strings resulting in unique emails from the most common domains (ajkjqowllhlhu@gmail.com). This random character set gave them a high chance of creating an email that didn’t exist before, therefore moving them to the second step in the attack flow – the email verification.

The email verification was performed through an API that sent the link out to a third party for account verification and activation. Having analyzed the entire registration process, the bad actor knew that the random string emails didn’t exist, so the email was rejected, and the user was sent to another API (side window), where they were prompted to re-enter a valid email address.

The typo correction flow was not instrumented with the same device/browser fingerprinting and JavaScript-based protections, allowing the users to create legitimate (yet fake) accounts and associated profiles with valid email addresses following a distinct pattern themselves (jane456smith@gmail.com). Once the fake account had been established, the subsequent profile creation sessions did not have the JavaScript-based fingerprints and device identifiers used to protect the front door because the bad actor followed the application business logic to bypass the defenses.

In the case of this attack, step one was manually executed while step two, the email correction and subsequent profile creation were automated, giving this attack a sophisticated hybrid structure. With the profile created, the longer-term (manual) process of establishing a relationship to then commit financial fraud could begin.

Insights Gained

Now that we understand the bad actor’s flow, we can discuss a few insights we learned from the defensive perspective.

  1. It’s impossible to predict how and where a determined bad actor will attack legitimate business logic flows designed to improve user experience (in this case, the ability to seamlessly correct an email error). These flows are ripe targets for abuse. It’s critical to have consistent telemetry and security baked into the application flows.
  2. Focusing solely on automated behavior may be a red herring and is irrelevant to the actual attack outcome. The behavior that is a manifestation of the attacker’s goal – in this case creating large numbers of fake accounts – is what is most important to try and detect.
  3. There is significant value in the ability to inspect the sensitive payload data values such as username and cookies to derive behavioral patterns.
Summary

This example is one of the many ways bad actors attempted to establish fake accounts. Rather than use credentials that are stolen and readily available on the web, the bad actor created credentials on the fly that they could then use to establish a fake account. With the fake account creation complete, they could then move on to the next, more lucrative phase of the attack: romance scam. By stopping the creation of fake accounts and subsequent profiles, our customer was able to stop romance scams which had resulted in an average theft of $12,000.

CQ Prime Threat Research Team

Author

CQ Prime Threat Research Team

Additional Resources