Fake accounts lead to direct fraud losses
Fake accounts have recently made headlines for maliciously influencing discourse on social media. However, bad actors also use fake accounts to commit financially-motivated attacks, including reward abuse on retail sites, money laundering via online banking, and even as a disguise for credential stuffing.
How Attackers Commit Fraud using Fake Accounts
1. Assemble Attack Script
If an attacker plans on making more than 20 or 30 accounts, he will typically want to leverage automation to quickly input data into each field of the registration application.
This attack script might include API calls to appropriate services, such as CAPTCHA solvers or disposable email address services.
2. Create Accounts
The attacker runs the script, creating hundreds, or even thousands, of accounts in a short period of time. Depending on the purpose of the fake accounts, account creation successes and failures are recorded.
The monetization scheme depends on the type of site being targeted. For example, criminals use fake accounts on retail sites to launder money by buying and selling gift cards, which becomes difficult for authorities to trace.
Learn why attackers create fraudulent online accounts on a target site before conducting a credential stuffing attack.
Watch the Video
It Fell Off the Back of a Truck
VP of Shape Intelligence explains how criminals use accounts created online to traffic stolen physical goods.
Tough on Humans
Easy on Bots
Many account registration forms use CAPTCHAs to prevent automated attacks. Unfortunately, they don’t stop bad actors.
The Open Web Application Security Project (OWASP) Threat Handbook addresses the Top 20 most critical automated threats to web applications, including fake account creation (OAT-019).
Fill out the form to start trying Shape.