Fraud Activity Detection and Handling
Platform abuse by fraudsters is a significant security risk that every service hosting provider should be aware of. This document is aimed to inform and prepare the platform partners for such risks and correctly handle any possible issue. The information is divided into the following three sections:
The first line of defense is to be aware of the existing fraud types in order to know exactly what you should look for to detect the issue and what precautions can be made to avoid it altogether. The most frequent types of fraud are provided below.
Cryptocurrency mining is a process of utilizing your hardware to verify various cryptocurrency transactions and adding it to the blockchain digital ledger. A user deploys a project that runs some kind of the crypto-mining utilities that put significant strain on your platform. Such activity causes high resource consumption on the hosts, which may affect other customers.
The platform runs an automation script that checks multiple attributes of mining activity. Also, periodical manual checks are performed by responsible engineers to detect and inform hosting providers about accounts suspected in crypto-mining.
Phishing is a form of Internet fraud that is aimed to steal personal data, e.g. credit card numbers, user IDs and passwords, etc. A user creates a fake website that looks similar to a legitimate organization (usually, a bank or insurance company). Once a “bait” (thus “phishing”) is set up, the fraudster tries to lure other people (e.g. via email or SMS) into entering their personal data, which will be unwittingly sent to the fraudster.
In most cases, such accounts are being detected and suspended manually, often through the request of the victim. Herewith, you can significantly decrease the risk of phishing by enabling the anti-phishing banner for trial accounts.
Spam is an unsolicited message that advertises something or tries to deceive recipients (e.g. for phishing). A user deploys a project that allows large-scale sending of the spam emails. If there are too many spam complaints, your platform domain/IP can get blacklisted by email service providers. Once blacklisted, emails originating from that IP or domain will end up in the “spam” folder rather than in the recipient’s inbox.
Usually, such accounts are being detected and suspended manually (after analysis of the users' activity or customers' complaints). The platform provides an option to disable email sending (if the container does not have public IP attached) for a particular group of users by configuring the sendmail.enabled quota.
Mass, often automated, accounts creation on multiple platforms with temporary emails/phones and other attributes of a fraud. It can be used for DDoS attacks, data- or crypto-mining, etc. As a rule, such accounts are detected through the daily analysis of registration stats and suspended manually.
Fraud users perform attacks on your platform with an aim to gain some benefit at your expense (e.g. utilizing platform capacities, abusing domains/IPs, etc.). Obviously, some precautions must be done to prevent or mitigate the risks. Based on our experience, there are two main options on how to approach the problem:
- Request personal information during the registration process - prevents most fraudsters before the damage is done. The downside of this approach is a more complicated signup process (varies from SMS verification to obligatory payment), which may scare some of the potential legit customers that want to try out the platform before committing.
- Active monitoring of trial accounts and for suspicious activity - catches malicious users in the act. Such an approach requires more actions from your side (employee time) and additional resources (platform capacities, third-party utilities, etc.) but at the same time gives an easier signup option for end-users, which may result in more leads.
The task of the service provider is to use the right combination of these options to reach a sufficient security level. Let’s review both approaches in close up with real case examples:
1. Usually, malicious actions are performed by trial users. The percentage of the converted users that are involved in fraudulent activities is significantly lower. Also, it is much easier to track and prevent future abuse when you already have fraudster’s information (the one provided during the account conversion, including credit card or other payment method details). So, making registration more involving and increasing restrictions for non-billing accounts can be a reasonable precaution:
Using mandatory mobile verification (SMS or phone call) instead of captcha during account registration.
Using third-party solutions for additional protection and risk evaluation (e.g. during sign-ups and payments).For example, the platform uses MaxMind for a part of sign-ups that are forwarded from the PaaS sites.
Creating multiple trial groups, where the default one does not allow environment creation (i.e. limited by the environment.maxcount quota). In such a way, after registration, a new user can access the dashboard and view all the available options. However, upon trying to create a new environment, a warning will notify customers about the necessity to contact the platform support (link included). Also, a custom welcome email should explain this flow to the new user. When such a request is received, your support team can validate the user and manually move the account to the other trial group (with the possibility to create environments).
Enabling obligatory account conversion after the first login, using the account.convert.after.login.enabled quota. As soon as a new user registers and logs into the dashboard, the following message will appear: The only option is clicking on the Continue button, which redirects to the account conversion form with an obligatory first payment. Herewith, we recommend setting the minimum first payment as 1$ and provide 10-15$ as a conversion bonus (bonus.upgrade.amount/bonus.upgrade.percent, bonus.upgrade.start.day, bonus.upgrade.end.day) to let users test the platform. A custom welcome email with the flow explanation is required for better conversion rates.
2. Fraud prevention steps are efficient, but cannot guarantee 100% protection, so you need to keep an eye on the existing users as well:
- The platform provides a free anti-miner script that can be enabled on all user hosts. Follow the linked instruction to configure the anti-miner automation. Afterward, you just need to react to the reports sent by the script.
- Analysis of registration stats can not only help with registration issues resolving, but also to detect possible malicious activity. For example, unexpected registration spikes should be investigated for bots. Also, confirmed fraudsters can be analyzed for similar patterns like the same IP or email domain (which can be automatically excluded).
- Active monitoring of nodes load and corresponding users' activities and with specific attention to an abnormal increase of traffic/memory consumption. Dedicated monitoring systems - like Zabbix - can help greatly to report problems on the platform (e.g. high load on the hosts caused by crypto-mining).
- Specific attention should be put into the monitoring of the payments. For example, cardholder info should match with the billing data provided by the user during the account conversion/registration.
If you’ve managed to detect a fraudster on your platform, please follow the steps below:
1. Go to the JCA > Users panel, locate the appropriate fraud user, and Suspend the account.
2. Contact the user to inform about the suspension reason. Request identification proof and details about the use case.
3. Submit a fraud report via the linked form so that the PaaS team can conduct an additional verification. Provide the following information:
- Hosting Provider - select the affected platform from the drop-down list
- Your Contact Email - address for the platform to contact you about this issue
- Email of Fraud User - email of the suspicious user
- User’s Billing Information - provide billing information on the reported user (if available)
- Fraud Type - choose the type of malicious activity (or describe via the Other option)
- Description of the Fraud Activities - provide information on the fraudster actions and the effect on the platform
- Steps Performed by Hosting Provider to Identify Fraud - describe how the malicious activity was detected and what counteraction were undertaken
4. Based on the results of the investigation/communication with the customer, decide to either destroy the account permanently or restore it, allowing the user to continue working on your platform.