Demystifying the underground ecosystem of account registration bots

Gao, Y; Xu, G; Li, L; Luo, X; Wang, C; Sui, Y

Demystifying the underground ecosystem of account registration bots

Gao, Y

Xu, G Li, L Luo, X Wang, C Sui, Y

Permalink

Publisher:: ACM
Publication Type:: Conference Proceeding
Citation:: ESEC/FSE 2022 - Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2022, pp. 897-909
Issue Date:: 2022-11-07

Closed Access

	Filename	Description	Size
	fse22main-p88-p-c906738c1d-60898-final.pdf	Published version	1.72 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Gao, Y https://orcid.org/0000-0001-9524-7038
dc.contributor.author	Xu, G
dc.contributor.author	Li, L
dc.contributor.author	Luo, X
dc.contributor.author	Wang, C
dc.contributor.author	Sui, Y https://orcid.org/0000-0002-9510-6574
dc.date.accessioned	2023-01-26T14:15:41Z
dc.date.available	2023-01-26T14:15:41Z
dc.date.issued	2022-11-07
dc.identifier.citation	ESEC/FSE 2022 - Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2022, pp. 897-909
dc.identifier.isbn	9781450394130
dc.identifier.uri	http://hdl.handle.net/10453/165497
dc.description.abstract	Member services are a core part of most online systems. For example, member services in online social networks and video platforms make it possible to serve users customized content or track their footprint for a recommendation. However, there is a dark side to membership that lurks behind influencer marketing, coupon harvesting, and spreading fake news. All these activities rely heavily on owning masses of fake accounts, and to create new accounts efficiently, malicious registrants use automated registration bots with anti-human verification services that can easily bypass a website's security strategies. In this paper, we take the first step toward understanding the underground ecosystem of account registration bots, and in particular, the anti-human verification services they use. From a comprehensive analysis, we determined the three most popular types of anti-human verification services. We then conducted experiments on these services from an attacker's perspective to verify their effectiveness. The results show that all can easily bypass the security strategies website providers put in place to prevent fake registrations, such as SMS verification, CAPTCHA and IP monitoring. We further estimated the market size of the underground registration ecosystem, placing it at about US $4.8M-128.1 million per year. Our study demonstrates the urgency with which we to think about the effectiveness of our registration security strategies and should prompt us to develop new strategies for better protection.
dc.language	en
dc.publisher	ACM
dc.relation.ispartof	ESEC/FSE 2022 - Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering
dc.relation.ispartof	Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
dc.relation.isbasedon	10.1145/3540250.3549090
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Demystifying the underground ecosystem of account registration bots
dc.type	Conference Proceeding
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Strength - AAII - Australian Artificial Intelligence Institute
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2023-01-26T14:15:39Z
pubs.publication-status	Published

Abstract:

Member services are a core part of most online systems. For example, member services in online social networks and video platforms make it possible to serve users customized content or track their footprint for a recommendation. However, there is a dark side to membership that lurks behind influencer marketing, coupon harvesting, and spreading fake news. All these activities rely heavily on owning masses of fake accounts, and to create new accounts efficiently, malicious registrants use automated registration bots with anti-human verification services that can easily bypass a website's security strategies. In this paper, we take the first step toward understanding the underground ecosystem of account registration bots, and in particular, the anti-human verification services they use. From a comprehensive analysis, we determined the three most popular types of anti-human verification services. We then conducted experiments on these services from an attacker's perspective to verify their effectiveness. The results show that all can easily bypass the security strategies website providers put in place to prevent fake registrations, such as SMS verification, CAPTCHA and IP monitoring. We further estimated the market size of the underground registration ecosystem, placing it at about US $4.8M-128.1 million per year. Our study demonstrates the urgency with which we to think about the effectiveness of our registration security strategies and should prompt us to develop new strategies for better protection.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/165497