Account Signups: Identity Abuse or Behavioral Abuse?

Cuckoo chick

(Photo By Per Harald Olsen - Own work, CC BY-SA 3.0, Link)

Service providers who offer a public way to sign up often suffer from account signup abuse. This type of abuse occurs when bad actors create legitimate accounts in order to leverage those accounts for some type of abusive behavior. Like a cuckoo egg, these accounts seem like something you want to nurture and protect until the day they make life tough for you and your actual users.

As an example, some email service providers offer a free trial account with a somewhat limited send volume for their service as a way to entice potential customers. Of course, spammers can also sign up using this mechanism. Farming a group of these trial accounts gives spammers a distributed cannon for sending high volumes of bad messages, exposing the service provider to blacklist risk along the way. Account signup abuse is in no way limited to trial accounts, though they provide a particularly attractive target. Any account signup that provides automated vetting of the account (say, by charging a credit card) will suffer from automated signups by malicious actors.

This type of signup abuse bridges the gap between identity abuse and behavioral abuse. On the one hand, the accounts are signed up for by legitimate means, so no account takeover took place; in a sense, the accounts are "real" users abusing the platform (behavioral abuse). On the other hand, spammers are clearly not legitimate users of the platform, so in a way they have impersonated actual users to create the account (identity abuse). As a result, the techniques for dealing with this problem are somewhat unique.

Reputation vs. Authentication

In the last post, we discussed how authentication, and in general making authentication stronger via techniques like MFA, can help address identity abuse. By construction, a new user does not have any way to authenticate, so those techniques don't apply to account signup abuse. Instead, actors creating accounts need to be be forced to cross a bar based on their reputation. Reputation scoring is a behavioral technique that takes into account everything that is known about the actor signing up - their IP address, it's ASN, the owner of the block, the geolocation, the user agent, the credit card, a phone number or address provided, or any other details that can be collected. These need to be evaluated in a historical context to build a picture of the actions of this actor. As a result, reputation scoring tends to look more like behavioral anti-abuse techniques than authentication. Applying these techniques to the account creation process can significantly reduce the number of fraudulent signups, and consequently the outstanding risk of the entire platform.

The Challenge of Partners

Caesar getting stabbed

Account signup abuse is exacerbated by casting a wider sales net via partners and resellers incentivised to create business for the service provider. These third parties are paid for account creation, but bear none of the cost of abuse of the platform. As a result, it can be challenging to enforce healthy account signup processes such as reputation scoring reliably. Correlating bad actors to where their accounts came from can illuminate problematic partners so that you can have the hard conversation about their high-risk account signup lifestyle.

Modeling New Accounts to Find Abusers

Even with a healthy account signup process, some fraudulent accounts are going to be created. The solution here is the same as for all behavioral abuse: tracking and modeling user behavior to identify abusers. In this case, the modeling is a little different than with account takeover in that there will be no "good" baseline of behavior to compare against. Instead, abusive new accounts can be pooled to find abuser "signatures".

One of these signatures for our proposed email service provider might be something like this:

  1. Account is created
  2. One email is sent
  3. No activity for 7-10 days
  4. Account begins unholy torrent of Viagra spam

With signatures like that in hand, you can begin to identify high-risk new accounts and subject them to closer behavioral scrutiny. In this example, if you saw steps 1 through 3, you could apply rate limiting to the account before step 4 every occurred. Of course, these signatures change over time as adversaries learn from their failures. In response, defenders can cultivate these signatures over time to adapt to changing threats.

Nothing is perfect, so this approach should be coupled with behavioral anti-abuse techniques to protect your platform and users from any behavioral abuse, whether from new accounts or old. With all the pieces in place, you have defense in depth against account signup abuse: reputation scoring to prevent the fraudulent signups; new signup behavioral modeling to catch bad actors before they weaponize their accounts; and standard behavioral modeling to stop the ones who slip through the cracks.

Joseph Turner