Businesses encourage users to create accounts to share discounts and offers and monitor behaviour. Creating an account therefore needs to be quick and easy so that the consumer isn’t deterred. However, it’s equally quick and easy for attackers to register for an account that will be used with malicious intent.
Detecting fake account creation attacks is becoming increasingly difficult as attack techniques evolve. Sophisticated fake account creation attacks are highly distributed and will use fake or stolen identities. These attacks are carried out in short bursts or spread out over prolonged periods, making them difficult to effectively spot and stop using traditional security measures alone.
The challenge for many businesses is that more registered users is a sign of growth, and the rising number of registrations is unlikely to be investigated too rigorously; until it’s too late.
Once an attacker has amassed many fake accounts, some may lay dormant for a long time or, dependent on the type of account, will be used to mask credential stuffing attacks, abuse new customer offers, or validate stolen credit cards.