Many people believe that bots are fairly simple in design and often consist of nothing more than a few lines of code. However, at scale, even simple bots are capable of a great deal of disruption. Netacea’s Bot Management Review: How are Bots Skewing Marketing analytics found that simply serving these bots can cost a business up to 4% of its revenue. While it’s possible to mitigate the damage of a simple bot attack —and many companies have the security in place to do so—more sophisticated bots lie in wait.

More so than any other developer, bot creators are constantly innovating and improving their products., in an arms race against defensive technologies. Bots are no longer just being used for “hit and run” attacks, instead their increasing sophistication means they can be used for more complex fraud attacks, such as taking over identities. Using stolen or bogus information, a bot can spin up mass numbers of fake accounts to steal identities, make fraudulent payments, or even distribute misinformation on social media. Unfortunately, many organisations aren’t aware that it is bots causing these problems, leaving the problem unchecked.

Marketing Technology News: MarTech Interview with Adam Berkowitz, Chief of Staff at LiveIntent

Fake accounts: the big picture

Fake accounts are typically thought of as buying Twitter or Instagram followers – but the threat they pose beyond social media platforms is much more sinister. Although they present a threat to any organisation that offers online customer accounts, they can also be viewed as a pre-emptive warning of an imminent account takeover (ATO) attack. Attackers can use account creation as a technique to enumerate existing accounts and allow more targeted credential stuffing. If the attacker can create a new account with a leaked username and password pair, this tells the attacker that the account did not already exist and therefore has no data worth stealing– eliminating the need to include that account in a credential stuffing attack.

Fake account creation is the automated or manual creation of a large number of user accounts. These accounts are typically created using stolen or fake identities. Fake account creation bots abuse the signup process of a webservice to create user accounts in bulk. These bots automate multiple sign-up requests which can be spread out over long periods of time or using IP addresses from different geo-locations to hide the fact that they are controlled by one person.

Advanced fake account creation bots can also bypass email, phone and CAPTCHA verification. The accounts created by these bots can be exploited by adversaries in multiple ways. For example, they may be used to take advantage of a new customer promotion, bypass limitations on actions performed per account – such as a one purchase per customer policy – or as a launch pad for other business logic attacks. They can also be sold on by the adversary for use by others.

If 10 or more accounts are to be created, the attacker will utilise bots to automate and quicken the fake account creation process. Bots can submit data into the forms as part of the account registration and may have API calls to human verification services such as a CAPTCHA solver.

The bots can create thousands of accounts in a small timeframe. Organisations should have alerts in place to notify them when a higher than normal rate of accounts are being created and investigate the validity of such accounts. If the fake accounts are part of a planned ATO ambush, the hacker will record the successful and failed account creation.

With a library of fake accounts, the monetisation process is initiated and varies according to the purpose of the attack or the victim site. But the goal is not always monetisation. Fake accounts are also used for disinformation and socio-political goals – widening the net of users beyond those simply looking to make money and deepening their impact and use in everyday interactions.

Why is fake account creation a problem?

Besides reputational damage, fraud, and potential loss of revenue, fake account creation also causes these three specific issues:

• Promotes discount abuse: If your business offers sign-up discounts or bonuses to new customers, fraudsters may create multiple new accounts to game sign-up offers and sell them on the grey market.
• Enables future attacks: Fake account creation is the first step in many other attacks; for example, fraudsters can bypass ‘one per customer’ restrictions on items they want to scalp for a profit on the secondary market.
• Skews marketing analytics: All businesses rely on data from their analytics to make key decisions. Fake account creation can skew this data, causing you to make potentially costly business decisions and investments based on data that’s misleading and inaccurate.

Marketing Technology News: 3 Ways to Retain Customers in a Data-Overloaded World

How can businesses mitigate smarter bots?

To mitigate these attacks, both simple and sophisticated, it’s crucial that businesses understand typical user behaviour. Without a clear view on what a legitimate customer login or registration looks like, compared to a bot journey – businesses are leaving themselves in the dark and their customers details vulnerable to attack.

When atypical behaviour is identified – across a website, mobile app or API – there are a few courses of action to take, such as blocking the activity, serve CAPTCHA or header inject.

Most businesses improve their security defences after an attack, and while its certainly preferable they don’t occur at all, the crucial step is learning from these breaches and preventing them from happening again.