Fraud Activity Detection and Handling

Platform abuse by fraudsters is a significant security risk that every service hosting provider should be aware of. This document aims to inform and prepare the platform partners for such risks and correctly handle any possible issue. The information is divided into the following three sections:

Fraud Types

The first line of defense is to be aware of the existing fraud types in order to know exactly what you should look for to detect the issue and what precautions can be made to avoid it altogether. The most frequent types of fraud are provided below.

  • Crypto-mining

Cryptocurrency mining is a process of utilizing your hardware to verify various cryptocurrency transactions and adding it to the blockchain digital ledger. A user deploys a project that runs some kind of the crypto-mining utilities that put significant strain on your platform. Such activity causes high resource consumption on the hosts, which may affect other customers.

The platform runs an automation script that checks multiple attributes of mining activity. Also, periodical manual checks are performed by responsible engineers to detect and inform hosting providers about accounts suspected in crypto-mining.

  • Phishing

Phishing is a form of Internet fraud that is aimed at stealing personal data, e.g. credit card numbers, user IDs and passwords, etc. A user creates a fake website that looks similar to a legitimate organization (usually, a bank or insurance company). Once a “bait” (thus “phishing”) is set up, the fraudster tries to lure other people (e.g. via email or SMS) into entering their personal data, which will be unwittingly sent to the fraudster.

In most cases, such accounts are being detected and suspended manually, often at the request of the victim. Herewith, you can significantly decrease the risk of phishing by enabling the anti-phishing banner for trial accounts.

  • Spamming

Spam is an unsolicited message that advertises something or tries to deceive recipients (e.g. for phishing). A user deploys a project that allows large-scale sending of spam emails. If there are too many spam complaints, your platform domain/IP can get blacklisted by email service providers. Once blacklisted, emails originating from that IP or domain will end up in the “spam” folder rather than in the recipient’s inbox.

Usually, such accounts are being detected and suspended manually (after analysis of the users' activity or customers' complaints). The platform provides an option to disable email sending (if the container does not have public IP attached) for a particular group of users by configuring the sendmail.enabled quota.

  • Botnets

Mass, often automated, accounts creation on multiple platforms with temporary emails/phones and other attributes of a fraud. It can be used for DDoS attacks, data- or crypto-mining, etc. As a rule, such accounts are detected through the daily analysis of registration stats and suspended manually.

Fraud Monitoring/Prevention

Fraud users perform attacks on your platform with an aim to gain some benefit at your expense (e.g. utilizing platform capacities, abusing domains/IPs, etc.). Obviously, some precautions must be taken to prevent or mitigate the risks. Based on our experience, there are two main options on how to approach the problem:

  • Request personal information during the registration process - prevents most fraudsters before the damage is done. The downside of this approach is a more complicated signup process (varies from SMS verification to obligatory payment), which may scare some of the potential legit customers that want to try out the platform before committing.
  • Active monitoring of trial accounts and for suspicious activity - catches malicious users in the act. Such an approach requires more actions from your side (employee time) and additional resources (platform capacities, third-party utilities, etc.) but at the same time gives an easier signup option for end-users, which may result in more leads.

The service provider’s responsibility is to determine the appropriate combination of these options to achieve a satisfactory level of security. In order to better understand both approaches, let’s examine them in detail with real-world case examples:

1. Usually, malicious actions are performed by trial users. The percentage of converted users that are involved in fraudulent activities is significantly lower. Also, it is much easier to track and prevent future abuse when you already have fraudster’s information (the one provided during the account conversion, including credit card or other payment method details). So, making registration more involving and increasing restrictions for non-billing accounts can be a reasonable precaution:

  • Using mandatory mobile verification (SMS or phone call) instead of captcha during account registration.

  • Using third-party solutions for additional protection and risk evaluation (e.g. during sign-ups and payments).

    Tip: For example, the platform uses MaxMind for a part of sign-ups that are forwarded from the PaaS sites.

  • Creating multiple trial groups, where the default one does not allow environment creation (i.e. limited by the environment.maxcount quota). In such a way, after registration, a new user can access the dashboard and view all the available options. However, upon trying to create a new environment, a warning will notify customers about the necessity to contact the platform support (link included). Also, a custom welcome email should explain this flow to the new user. When such a request is received, your support team can validate the user and manually move the account to the other trial group (with the possibility to create environments).

  • Enabling obligatory account conversion after the first login, using the account.convert.after.login.enabled quota. As soon as a new user registers and logs into the dashboard, the following message will appear: obligatory account conversion

The only option is clicking on the Continue button, which redirects to the account conversion form with an obligatory first payment. We recommend setting the minimum first payment as 1$ and providing 10-15$ as a conversion bonus (bonus.upgrade.amount/bonus.upgrade.percent, bonus.upgrade.start.day, bonus.upgrade.end.day) to let users test the platform. A custom welcome email with the flow explanation is required for better conversion rates.

2. Fraud prevention steps are efficient, but cannot guarantee 100% protection, so you need to keep an eye on the existing users as well:

  • The platform provides a free anti-miner script that can be enabled on all user hosts. Follow the linked instructions to configure the anti-miner automation. Afterward, you just need to react to the reports sent by the script.
  • Analysis of registration stats can be beneficial not only for identifying and resolving registration issues but also for detecting any potential malicious activity. For example, unexpected registration spikes should be investigated for bots. Also, confirmed fraudsters can be analyzed for similar patterns like the same IP or email domain (which can be automatically excluded).
  • Active monitoring of nodes load and corresponding users' activities and with specific attention to an abnormal increase of traffic/memory consumption. Dedicated monitoring systems - like Zabbix - can help greatly to report problems on the platform (e.g. high load on the hosts caused by crypto-mining).
  • Specific attention should be paid to the monitoring of the payments. For example, cardholder info should match with the billing data provided by the user during the account conversion/registration.

Frauds Handling

If you’ve managed to detect a fraudster on your platform, please follow the steps below:

1. Go to the admin panel Users section, locate the appropriate fraud user, and Suspend the account.

suspending fraud user

Note: DO NOT Destroy the account, as it will remove all the hosted environments and projects. Suspending will terminate any activity while keeping evidence for the investigation. Also, in case of some sort of misunderstanding, the client’s environments can be easily restored.

2. Contact the user to inform them about the suspension reason. Request identification proof and details about the use case.

3. Based on the results of the investigation/communication with the customer, decide to either destroy the account permanently or restore it, allowing the user to continue working on your platform.

Note: If the fraudulent activities caused significant damage to the platform or you think that your case requires additional attention and further investigation, please submit a Zendesk ticket to Virtuozzo Application Platform Support. Provide the following information to speed up the investigation:

  • email of the suspected fraud user
  • billing information on the reported user (if available) - name, company, city, address, postcode, country, phone, payment method, cardholder details, etc.
  • fraud type (crypto-mining, phishing, spamming, botnet attacks, other) and description of the malicious activity (the fraudster actions and the effect on the platform)
  • how the fraud activity was detected and what counteractions were undertaken

What’s next?