Average Theft Prevented Per Romance Scam: $12,000
Credentials represent one of the Four Pillars of Detection that the CQ Prime Research Team uses to help our customers understand and ultimately prevent automated bots and the associated fraud. It’s common knowledge that credentials are used to create fake accounts in an automated manner to achieve fraudulent goals such as spreading (dis)information on social media or scamming companies out of sign-up bonuses and referral bonuses.
One of the more elegant and financially lucrative fraudulent outcomes that can be achieved through manual, or semi-manual fake account creation are romance scams executed through relationship sites. Executing a romance scam requires the bad actor to analyze and understand the relationship site account registration business logic, finding potential holes that can be exploited to achieve the end goal.
Today we will discuss how our analysis of anomalies inside the (account) registration payload, and the associated attacker behavior allowed us to detect and mitigate a sophisticated, multi-application fake account creation and romance scam campaign.
The methodology of the bad actor, and the logic they abused in the defenses, can be best described as a thief who finds the front door locked, but through a bit of investigation, finds a side window open. With the scene of this analogy set, let’s dive into the details of how attackers abused the registration APIs to accomplish their goal of creating fake accounts.
The email verification was performed through an API that sent the link out to a third party for account verification and activation. Having analyzed the entire registration process, the bad actor knew that the random string emails didn’t exist, so the email was rejected, and the user was sent to another API (side window), where they were prompted to re-enter a valid email address.
In the case of this attack, step one was manually executed while step two, the email correction and subsequent profile creation were automated, giving this attack a sophisticated hybrid structure. With the profile created, the longer-term (manual) process of establishing a relationship to then commit financial fraud could begin.
Now that we understand the bad actor’s flow, we can discuss a few insights we learned from the defensive perspective.
- It’s impossible to predict how and where a determined bad actor will attack legitimate business logic flows designed to improve user experience (in this case, the ability to seamlessly correct an email error). These flows are ripe targets for abuse. It’s critical to have consistent telemetry and security baked into the application flows.
- Focusing solely on automated behavior may be a red herring and is irrelevant to the actual attack outcome. The behavior that is a manifestation of the attacker’s goal – in this case creating large numbers of fake accounts – is what is most important to try and detect.
- There is significant value in the ability to inspect the sensitive payload data values such as username and cookies to derive behavioral patterns.
This example is one of the many ways bad actors attempted to establish fake accounts. Rather than use credentials that are stolen and readily available on the web, the bad actor created credentials on the fly that they could then use to establish a fake account. With the fake account creation complete, they could then move on to the next, more lucrative phase of the attack: romance scam. By stopping the creation of fake accounts and subsequent profiles, our customer was able to stop romance scams which had resulted in an average theft of $12,000.