Bots and Automated Attacks

Fake Account Creation Bots – Part 2

Part two of a series investigating how automation is used to create fake accounts for fraud, disinformation, scams, and account takeover.
October 12, 2023
14 min. read
Previous article in this series
Next article in this series

In part two of this multi-part series on fake account creation bots, we look at why automation is used to create fake accounts and how they impact businesses.

What is a Fake Account Creation Bot?

A fake account creation bot is an automated computer program designed to create large numbers of fake accounts inside online systems, typically at great speed and scale.

Why is Automation Used?

As discussed in Part One of this series, there are a large number of reasons why someone might want to create fake accounts. Malicious actors usually need to create very large numbers of fake accounts to achieve their ends, and so most malicious actors will use automation. Most benign fake accounts are created manually.

The manual creation of large numbers of accounts is difficult and time-consuming. Automation is used to speed up and simplify the process of creating large numbers of fake accounts.

Malicious actors want to monetize their activities with fake accounts and minimize their labor to do so, but significant coordination and management of the accounts is necessary. Automation makes this easier, allowing malicious actors to log into many accounts at the same time, as well as coordinating the actions of these accounts. For example, they may wish to buy up limited availability items from a retailer over a short period of time, amplify fake news or disinformation on social media, or vote for a particular choice in an online poll.

Additionally, mass liking or reviewing of products and services, spamming, and coordinated denial of services attacks require coordinated action from many accounts to be effective. Automation provides a means to accomplish this aim.

Since automation needs to be developed to manage and coordinate the accounts, it may as well be used to create the accounts as well. Since the development effort is the same, automation will be used wherever needed – for account creation, for account coordination and management, and even for keeping track of which accounts have been detected or suspended.

Security and fraud teams will be attempting to identify and suspend fake accounts, and frequently their actions are effective in doing so. Automation allows attackers to create a surplus of accounts to achieve their ends – even if some are taken down, they will still have enough to accomplish their goal.

Automation also allows attackers to attempt to avoid detection. By creating random names, details, and by using a diversity of infrastructure to create and manage them, security teams are presented with challenges to the identification of fake accounts.


Finally, automation allows attackers to keep track of the large number of usernames, passwords, and profile information, such as names, dates of birth, locations, and other identifying information, which both allows the attackers to produce fake accounts that look more “real”, and also prevent easy detection; a smart security team might, for example, look for accounts that use the same password as a known fake account, and subject these accounts to greater inspection.

Why Should Businesses Care?

Fake accounts can be used against the enterprise hosting the accounts or against their customers. Many times, the financial loss or damage caused by these fake accounts is not clear to security and fraud teams.

Financial Loss

Fake accounts cause the business a direct financial loss. Financial loss can come in various forms including but not limited to:

  • Theft of goods, gift cards, points, discounts and other monetary assets from the business or its customers. Businesses typically are on the hook to provide restitution to customers suffering loss on their apps.
  • Chargebacks for goods purchased by fake account bots using stolen credit cards.
  • Bonuses, discounts, and other incentives paid out to fake account bots.

Loss of Revenue/Market Share

The actions of fake account bots may cause current customers to take their business elsewhere, moving to a company unencumbered by fake account issues. Potential customers may also opt not to use the company’s services if they find or have been told of issues with fake accounts by peers or news stories.

Increase in Operating Costs

Fake accounts can impose higher operating costs for businesses. These costs include verification of accounts, security personnel and technologies to mitigate fake accounts and bots, the cost of investigating customer complaints, and higher than necessary infrastructure and data fees. Costs will also be incurred to issue refunds or other costs to users that fall victim to bot activity.

Reputational Damage

Fake accounts cause financial loss, breach of PII, account take over, fraud, and frustration. These issues end up in the news, on social media, and in rumors, resulting in a negative perception of the business. Negative perceptions of reputation will cause customers to be wary about patronizing the business and trusting the company with their data.

Bad User Experiences

Fake account bots can cause negative experience for a business’ users through a number of methods including:

  • Fraud – Fake account bots can be used to defraud users, such as in online gambling.
  • Denial of Product – reseller bots using fake accounts can win lotteries and get access to limited inventory and high demand items like sneakers, preventing legitimate customers from buying the product.
  • Denial of Service – Coordinated activity of a large numbers of fake accounts can cause latency issues on the application and ultimately cause a service outage.
  • Value Distortion – Fake reviews, fake followers and likes, all cause a distortion of value. Users will spend their time, attention and money on products or content that appears to be high quality and popular, only to find out that they were fooled by fake account bots.
  • Friction – activity of fake account bots can result in businesses imposing strict controls on all users including the requirement to prove one’s identity, sometimes repeatedly.
  • Incentive manipulation – Fake account bots that can game incentives offered by businesses can cause businesses to change these programs or even to discontinue these programs entirely, making it harder for legitimate customers to earn status, points, and discounts.

Low Customer Engagement and Time on App

Fake accounts can lead to bad experiences for users, causing them to spend less time using the company’s services, leading to less engagement and reduced spending. For social media and other companies that rely on advertising revenue, less user engagement and time spent leads to direct loss of revenue.

Data Breach

Fake accounts can be used as landing zones for more complex attacks resulting in a potential data breach. In the event of a data breach there are many requirements imposed on businesses to report the breach, notify customers, investigate the source and extent of the breach, and remediate it. These requirements differ by industry and geographic jurisdiction but all result in lots of time and effort being dedicated to addressing the breach. Data breaches also lead to reputational damage and potential loss of revenue and market share.

Regulatory Issues

The activities of fake account bots can bring about regulatory scrutiny for a business. This scrutiny is distracting for leadership as their attention is diverted from important business issues to dealing with the regulatory inquiry. Costs are associated with investigations and businesses can potentially be fined financially or sanctioned in a variety of ways.

Customers, advertisers, and other stakeholders negatively impacted by the activity of fake account bots on a business’ applications may sue the business. These legal issues can result in financial settlements, reputational damage and other undesirable results.

Business Process Disruption

Fake account bots can force businesses to change their business processes to address the effects of fake accounts, incurring costs in time and money, and making the company less able to respond to changing business needs.

Distortion of Business Metrics

Fake accounts negatively impact key business metrics relied upon to make decisions. Metrics around conversions, click rates, cart abandonment, and retargeting are all negatively impacted by the activity of fake account bots. Businesses might incorrectly identify a drop off in business or poor performance of products, marketing campaigns, and teams due to distorted metrics caused by fake account activity. This leads to incorrect and potentially harmful business decisions being made, negatively impacting the business.

Competitive Disadvantage

Fake accounts can lead to a sub-par experience and business performance which results in a competitive disadvantage. Competitors with better means of handling bots and fake accounts provide a better customer experience and can entice valuable customers away from their less able competition.

Fake Account Scheme Cheat Sheet

Since there are so many different use cases and fraud schemes associated with fake accounts, Table 1 below contains a cheat sheet showing a summary of the main negative consequences business will likely suffer due to the activity of different kinds of fake account creation bots.
 

Fake Account Use Case Negative Consequences
Advance Other Fraud Schemes
  • Financial loss for the business or users from fraud schemes
  • Loss of reputation due to fraud on platform
  • Potential legal and regulatory issues due to fraud activity
  • Poor customer experience
  • Loss of future revenues from existing customers and those who will avoid the business as a result of a bad reputation
Romance Scams
  • Bad user experience as users looking for a love match waste time chatting to bots
  • Users susceptible to being defrauded by actors met on the platforms
  • Bad user experience leads to bad reputation which negatively impacts growth and future revenues
Money Laundering
  • Legal and regulatory issues
  • Potential regulatory fines or other legal impacts
  • Loss of reputation
Credential Stuffing / Account Takeover
  • Financial loss, negative legal and reputational consequences associated with hijacked accounts
  • Loss of future business from customers whose accounts were compromised
  • Customer PII can be compromised leading to losses for the customer elsewhere including potential identity theft
Data Scraping
  • Loss of proprietary or competitive data which will impact the financial future of business
  • Scraping activity may lead to latency issues and poor app experience for other users
System Vulnerability Exploitation
  • Potential discovery and exploitation of security vulnerabilities
  • Data breaches resulting in reputational damage
  • Financial loss from data breach
  • Legal and regulatory fallout from potential data breach
Disinformation Campaigns
  • Poor customer experience
  • Potential regulatory and legal issues
  • Loss of advertisers and users due to poor and potentially toxic user experience
  • Loss of revenue and reduced customer growth and engagement
  • Social and political interference driven by disinformation campaign
  • Loss of revenue, market share, and reputational damage for businesses targeted or used by disinformation campaigns
Social Media Monetization
  • Distortion of value as algorithms promote content that is not engaging due to signals from fake accounts
  • Less engaging or potentially harmful content is amplified on the platform
  • Loss of ad revenues
  • Lower customer engagement and time spent on platform
Fake Reviews / Ratings
  • Customer dissatisfaction from purchasing highly rated products that turn out to be bad
  • Reputational damage and loss of customer trust
  • Loss of revenue and market share
  • Increase in costly product returns
Online Polls and Surveys
  • Manipulated results leading to incorrect decisions and conclusions
  • Reputational damage
  • Loss of trust, customers, and revenue
  • Manipulation of polls and surveys by competitors and adversaries including hacktivist groups
  • Financial loss for polls or surveys that pay participants or raffle out prizes to participants
  • Time and money to try and clean up poll or survey results to remove bot activity and manipulated results
Customer Support Spamming
  • Increased customer support cost triaging fake support tickets
  • Financial loss from fraud via fraudulent complaints resulting in refunds, discounts and credit being given to fake account bots
  • Delayed support turnaround times due to support queue clogging by fake account bots
  • Public tickets and complaints can lead to reputational damage
Referral Fraud
  • Financial loss as referral bonuses paid out to bots for creating fake accounts
  • Distortion of sales and marketing metrics like conversion rates and customer acquisition cost
  • Increased cost of supporting and provisioning for thousands of fake accounts that do not contribute to business revenues
  • Potential redesigning of referral programs to reduce payouts due to fake accounts discourage real users from referring other real users due to stricter requirements
Birthday Incentive Manipulation
  • Financial loss from free products and discounts being given to criminals
  • Potential cancellation of customer loyalty benefits due to financial strain caused by fake account bots abusing the programs
Bonus Manipulation
  • Financial loss as bonuses are paid out to undeserving people
  • Increase of bonus targets for real users, due to artificially high target achievement levels, with fake accounts distorting performance metrics
  • Demotivation of good users/employees who lose bonuses to users/employees gaming the systems using fake accounts
  • Potential loss of good customers/users to other platforms with fairer and better protected bonus structures
Online Gambling Cheating
  • Legit players suffering financial loss due to cheaters using fake accounts
  • Bad user experience resulting in bad reputation and reduced revenues as users flock to other platforms with less cheating
  • Direct financial loss if fake accounts are used to cheat against the house
Marketplace Power
  • Collusion and price manipulation by market players with large numbers of fake accounts
  • Loss of revenue and market share to other marketplaces with less manipulation
  • Legit market players struggle to compete for customers due to activities of fake account bots
  • Fraud and financial loss for the business and its customers if fake accounts are used to game marketplace incentives
  • Poor product and service quality as fake accounts bots are used to drown out honest reviews
  • Reputational damage and loss of future revenue
Reservations for Sale
  • Underutilization as not all reservations made by fake account bots can be resold in time, resulting in reservations going unused while customers are struggling to get reservations; this in turn leads to direct loss of revenue
  • Reputational damage leads to loss of market share and potential future revenue
  • Reduced revenue as customers have to pay a premium to get reservations and will have less left over to spend on other things
Raffle / Lottery Rigging
  • Circumvention of security controls in place to protect users from reseller bots that typically use speed to access limited stock items first
  • Bad user experience as legit customers are unable to win items in the raffle/lottery
  • Reputational damage as legit users stop participating
  • Loss of revenue as fake account/reseller bots only purchase limited inventory items and do not buy other products like legit consumers would
  • Potential issues with OEMs who may cancel retailer’s distribution contracts because of customer complaints about not being able to purchase goods/services and the retailer enabling the funneling of goods to the secondary markets
Burner / “FInsta” Accounts
  • Reputational damage as parents may stop young users from using platforms if they cannot police them, potentially leading to reduced number of young users and or time spent on the app which results in reduced revenues for the platform
  • Underage users can claim to be older and get exposed to inappropriate content, potentially leading to safety concerns for parents who may stop young users from using the app (reducing revenues) and may lead to regulatory and legal issues
Parents Monitoring Kids with Fake Profiles
  • Distorts usage metrics; these accounts tend to have lower activity, spend less time in the app and connect with limited number of other users, and these accounts are therefore less profitable to the platform
  • Reputational damage as young users are less likely to accept connection requests for fear that a potential request is from their parents; this reduced engagement means less time spent on app and reduced revenues
  • Parent monitoring on a given platform may make the platform less popular with young users who will migrate to other platforms resulting in lost users and revenue.
Catfishing
  • Bad user experience leading to reputational damage, loss of users and revenue
  • Financial loss if users are defrauded by the catfish
Anonymity
  • Parody accounts can lead to reputational damage for individuals being parodied
  • Anonymity can result in hate speech and other undesirable content as users feel they can do or say what they want without real life consequences; this potentially leads to more toxic content on platforms and the loss of both users and advertisers
  • Renders punishments like account suspension or banning less effective if a user can anonymously return to platforms under a new pseudo-identity
Table 1 - Cheat Sheet of Fake Account uses

Why Some Companies Do Not Care

Despite the negative consequences that fake accounts can have on a business and it’s customers, not all businesses are willing to prevent fake account creation or detect fake account activity. There are several reasons why some companies are incentivized to turn a blind eye to fake accounts.

Valuation Inflation

For many businesses including startups, their value is determined by metrics such as the number of app downloads, the number of registered users, user engagement, and daily or monthly active users. Since fake accounts and the bots that manage them contribute positively towards these metrics, some companies turn a blind eye to them. The more fake accounts and bots they have on their platform, the more impressive the metrics look leading to a higher valuation. This issue was at the core of Elon Musk’s acquisition of Twitter where he wanted a reduction in price as he alleged that most of Twitter’s users were bots.

Monetization of Fake Accounts

For advertising driven businesses, impressions and clicks are critical metrics. The more ads and the more users click on those ads, the more money they make. Since bots running fake accounts are typically very active online, these accounts tend to “see” many ads and might even be programmed to click on those ads. Bots are thus contributing significantly to the revenue of the business.

Another example where a business monetizes fake accounts is intermediaries, i.e., financial aggregators. Many financial aggregators charge a transaction fee for their services. If an aggregator charges businesses on their platform a transaction fee for a service rendered, such as credit card validation, they will make money when attackers use bots to create large numbers of fake accounts and use them to test stolen credit cards. The aggregator is not incentivized to stop these fake account bots because they are generating transactions that the aggregator will charge their customers for performing.

Business from Fake Accounts

Not only can fake accounts contribute indirectly to the revenue of the business, they can also directly purchase goods and services. This is an issue when reseller bots are used to buy up limited inventory items like sneakers, gaming consoles, and concert tickets. Businesses may turn a blind eye to these bots and their fake accounts as they are buying goods and services from the business and contributing directly to revenue.

Conclusion

Malicious fake accounts tend to be created using automation by fake account creation bots. This is because most malicious purposes require the creation and management of large cohorts of fake user accounts. Using automation reduces the amount of time and complexity in creating, managing, and coordinating these fake accounts. Fake accounts have many negative consequences for businesses. Their costs, profits, reputation, customer experience may all suffer. It should therefore be a priority for businesses to mitigate fake accounts and the bots that create and manage them. However, there are some businesses that may turn a blind eye to fake account bots as the activity of these bots inflates the value of their products or contributes directly or indirectly to the revenue and profits of the business.

Previous article in this series
Next article in this series

Recommendations

The first step should be identifying how prevalent fake accounts and bot activity is on your platform, followed by analysis of the possible effects of this activity on the business. The above information may serve as an extensive (although not necessarily comprehensive) list of possible negative effects.

Join the Discussion
Authors & Contributors
Tafara Muwandi (Author)
RVP of Data Science

Read More from F5 Labs

2023 Identity Threat Report: The Unpatchables
2023 Identity Threat Report: The Unpatchables
11/01/2023 report 80 min. read
Building DDoS Botnets with TP-Link and Netgear Routers
Building DDoS Botnets with TP-Link and Netgear Routers
05/22/2024 article 5 min. read
2024 Bad Bots Review
2024 Bad Bots Review
03/14/2024 article 15 min. read