Trafficking Fraudulent Accounts

This post is based on research conducted in collaboration with Twitter, to appear in Usenix Security 2013. A pdf is available under my publications. Any views or opinions discussed herein are my own and not those of Twitter.

As web services such as Twitter, Facebook, Google, and Yahoo now dominate the daily activities of Internet users, cyber criminals have adapted their monetization strategies to engage users within these walled gardens. This has lead to a proliferation of fraudulent accounts — automatically generated credentials used to disseminate scams, phishing, and malware. Recent studies from 2011 estimate at least 3% of active Twitter accounts are fraudulent. Facebook estimates its own fraudulent account population at 1.5% of its active user base, and the problem extends to major web services beyond just social networks.

The complexities required to circumvent registration barriers such as CAPTCHAs, email confirmation, and IP blacklists have lead to the emergence of an underground market that specializes in selling fraudulent accounts in bulk. Account merchants operating in this space brazenly advertise: a simple search query for “buy twitter accounts” yields a multitude of offers for fraudulent Twitter credentials with prices ranging from $10–200 per thousand. Once purchased, accounts serve as stepping stones to more profitable spam enterprises that degrade the quality of web services, such as pharmaceutical spam or fake anti-virus campaigns.

Screen shot 2013-08-06 at 1.09.09 PM

To understand this shadowy economy, we investigate the market for fraudulent Twitter accounts to monitor prices, availability, and fraud perpetrated by 27 merchants over the course of a 10-month period. We use our insights to develop a classifier to retroactively detect several million fraudulent accounts sold via this marketplace, 95% of which we disable with Twitter’s help. During active months, the 27 merchants we monitor appeared responsible for registering 10–20% of all accounts later flagged for spam by Twitter, generating $127–459K for their efforts.

Account Merchants and Pricing

With no central operation of the underground market, we resort to investigating common haunts: advertisements via search engines, blackhat forums such as hxxp://blackhatworld.com, and freelance labor pages including Fiverr and Freelancer. In total, we identify a disparate group of 27 merchants whom we elect to purchase accounts from. We conduct a total of 140 successful orders of accounts, purchasing roughly 120K accounts over a period from June, 2012 — April, 2013. Prices throughout our study are relatively stable, as shown below:

Of the orders we placed, merchants fulfilled 70% in a day and 90% within 3 days. We believe the stable pricing and ready availability of fraudulent accounts is a direct result of minimal adversarial pressures on account merchants.

Circumventing Automated Registration Barriers

IP Addresses: Unique IP addresses are a fundamental resource for registering accounts in bulk. Without a diverse IP pool, fraudulent accounts would fall easy prey to network-based blacklisting and throttling.
As a whole, miscreants registered 79% of the accounts we purchase from unique IP addresses located across the globe. India is the most popular origin of registration, accounting for 8.5% of all fraudulent accounts in our dataset. Other “low-quality” IP addresses (e.g. inexpensive hosts from the perspective of the underground market) follow in popularity.

Registration Origin Total Accounts Registered from Origin Unique IPs Popularity
India 6029 8.50%
Ukraine 6671 7.23%
Turkey 5984 5.93%
Thailand 5836 5.40%
Mexico 4547 4.61%
Viet Nam 4470 4.20%
Indonesia 4014 4.10%
Pakistan 4476 4.05%
Japan 3185 3.73%
Belarus 3901 3.72%
Other 46850 48.52%

Email Confirmation: Web services frequently inhibit automated account creation by requiring new users to confirm an email address with a challenge response code. Unsurprisingly, we find this barrier is not insurmountable, but it does impact the pricing of accounts, warranting its continued use. A list of the most abused email address is as follows:

Email Provider Accounts Abused Fraction of All Email Confirmed Accounts
hotmail.com 64050 68.32%
yahoo.com 12339 13.16%
mail.ru 12189 13.00%
gmail.com 2013 2.15%
nokiamail.com 996 1.06%
Other 2157 2.30%

In total, merchants email confirm 77% of accounts we acquire, all of which they seeded with a unique email. The failure of email confirmation as a barrier directly stems from pervasive account abuse tied to web mail providers. Merchants abuse Hotmail addresses to confirm 60% of Twitter accounts, followed in popularity by Yahoo and mail.ru. This highlights the interconnected nature of account abuse, where credentials from one service can serve as keys to abusing yet another.

Despite the ability of merchants to verify an email address, we find that merchants selling email-confirmed accounts are 56% more expensive than their non-confirmed counterparts. This difference likely includes the base cost of an email address and any related overhead due to the complexity of responding to a confirmation email.

CAPTCHA Solving: As with email confirmation, CAPTCHAs are not an insurmountable barrier to automated account creation, but they do prevent a substantial number of fraudulent account registrations. We find that 92% of fraudulent accounts that are shown a CAPTCHA fail at generating a valid solution. (This is slightly higher than expected, where automated solvers previously studied provided a success rate of 18–30%). Despite this fact, account sellers are still able to register thousands accounts over the course of time, simply playing a game of odds.

Impact of Merchants on Twitter Spam

In order to gauge the impact that merchants have on Twitter spam, we develop a classifier that retroactively identifies several million spam accounts registered in the last year. Of these, 73% were sold and actively tweeting or forming relationships at one point in time, while the remaining 37% remained dormant and were yet to be purchased. We find that, during active months, the underground market was responsible for registering 10–20% of all accounts that Twitter later flagged as spam.

Screen shot 2013-08-13 at 1.46.30 PM

The most damaging merchants from our impact analysis operate out of blackhat forums and web storefronts, while Fiverr and Freelancer sellers generate orders of magnitude fewer accounts.

The End Goal — Profit

We estimate the revenue generated by the underground market based on the total accounts sold and the prices charged during their sale. We distinguish accounts that have been sold from those that lay dormant and await sale based on whether an account has sent tweets or formed relationships. For sold accounts, we identify which merchant created the account and determine the minimum and maximum price the merchant would have charged for that account based on our historical pricing data.

We estimate that the total revenue generated by the underground account market through the sale of Twitter credentials is between the range of $127,000–$459,000 over the course of a year. We note that many of the merchants we track simultaneously sell accounts for a variety of web services, so this value likely represents only a fraction of their overall revenue. Nevertheless, our estimated income is far less than the revenue generated from actually sending spam or selling fake anti-virus, where revenue is estimated in the tens of millions. As such, account merchants are merely stepping stones for larger criminal enterprises, which in turn disseminate scams, phishing, and malware throughout Twitter.

Disrupting the Underground Marketplace

With Twitter’s cooperation, we suspend an estimated 95% of all fraudulent accounts registered by the 27 merchants we track, including those previously sold but not yet suspended for spamming. We estimate our precision through this process at 99.9942%.

Immediately after Twitter suspended the last of the underground market’s accounts, we placed 16 new orders for accounts from the 10 merchants we suspected of controlling the largest stockpiles. Of 14,067 accounts we purchased, 90% were suspended on arrival due to Twitter’s previous intervention. When we requested working replacements, one merchant responded with:

All of the stock got suspended … Not just mine .. It happened with all of the sellers .. Don’t know what twitter has done …

Similarly, immediately after suspension, hxxp://buyaccs.com put up a notice on their website stating “Временно не продаем аккаунты Twitter.com”, translating via Google roughly to “Temporarily not selling Twitter.com accounts”.

Screen shot 2013-08-14 at 12.18.40 PM

While Twitter’s initial intervention was a success, the market has begun to recover. Of 6,879 accounts we purchased two weeks after Twitter’s intervention, only 54% were suspended on arrival. As such, long term disruption of the account marketplace requires both increasing the cost of account registration and integrating more robust at-signup time abuse classification into the account registration process.