arrow left facebook twitter linkedin medium menu play circle
September 29, 2015 - Ting Fang Yen

How To Register Millions of Fake Accounts With Ease

Fake accounts are a bigger problem than ever. With so many new security technologies, why are they still so prevalent? Recent studies show that approximately 10 percent of accounts on social media sites are fake [1,2]. Other reports are more drastic: Instagram’s crackdown on spam fake accounts in December of last year exposed 18.9 million (29 percent) of followers of the Instagram official account as fake [3]. 

Really, is it that easy to register so many fake accounts? Sounds too good to be true. The reality is that there are many “helper” tools that enable bad actors to evade traditional security measures. Free voicemail services like K7 and Laser Voicemail provide disposable numbers to bypass phone verification. Guerrilla Mail, Mailinator, Fake Mail Generator are just a few of the providers of anonymous, temporary email addresses. Captcha solver services, many manned by human labor in Southeast Asia (see Figure 1), can cost as low as $0.5 for 1000 images. Anonymous proxies, VPNs (e.g., HideMyAss, FilterBypass, ZenMate), and cloud hosting services allow traffic to appear from different locations, defeating blacklisting or IP-based rules.

Workers Distribution by Countries
The distribution of the human labor force at one captcha-solving service, AntiGate.com.

To make it even easier for attackers, there are all-in-one account creator software that automates all of the above for you, such as the $2,500 (two PC license) deal from spamvilla.com, and “click farms” where fake accounts are registered manually and resold for different purposes [4]. Even dedicated hardware, i.e., jailbroken iPhones, have emerged in China. The phone comes complete with not only account creation capabilities for multiple online services (WeChat, Momo, Bilin, iAround, Weju, and Moca), but also automated messaging scripts and IP changer software for $550 – $700. The title image at the top of this post is a screenshot of the jailbroken iPhones being programmed by the seller.

Taobao ad for all-in-one “fraud” phones.
Taobao ad for all-in-one “fraud” phones.

The table below summarizes the security solutions commonly used at online services, and the attack techniques to defeat them.

Security Solution & Attack Techniques Table

Why are fake accounts so attractive? The sophistication of online services today has opened up lucrative opportunities for criminals. As mentioned in our earlier blog post, many service features including social reputation, ad impressions, promotional/reward points, and in-game virtual items can be converted into real-world gains. If account creation software alone costs $2,500, the profit that can be milked out of the fake accounts must be many, many times greater – at the cost of the online service.


References
[1] Emil Protalinski. “Facebook estimates that between 5.5% and 11.2% of accounts are fake.” The Next Web 3 Feb 2014. http://thenextweb.com/facebook/2014/02/03/facebook-estimates-5-5-11-2-accounts-fake/
[2] Lara O’Reilly. “8% of Instagram accounts are fakes and 30% are inactive, study says.” Business Insider< 2 Jul 2015. http://www.businessinsider.com/italian-security-researchers-find-8-percent-of-instagram-accounts-are-fake-2015-7
[3] Vindu Goel. “Millions of fake Instagram users disappear in purge.” The New York Times 18 Dec. 2014. http://bits.blogs.nytimes.com/2014/12/18/millions-of-fake-instagram-users-disappear-in-purge/
[4] Doug Bock Clart. “How click farms have inflated social media currency.” New Republic 20 Apr. 2015. http://www.newrepublic.com/article/121551/bot-bubble-click-farms-have-inflated-social-media-currency
[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

about Ting Fang Yen
Ting-Fang Yen is Director of Research at DataVisor. Ting-Fang specializes in network and information security data analysis and fraud detection in the financial, social, and e-commerce industries. She holds a Ph.D. in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.
about Ting Fang Yen
Ting-Fang Yen is Director of Research at DataVisor. Ting-Fang specializes in network and information security data analysis and fraud detection in the financial, social, and e-commerce industries. She holds a Ph.D. in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.